Description
The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://pivotal.io/security/cve-2014-0097
Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html
Scores
CVSS v3
7.3
EPSS
0.0023
EPSS Percentile
46.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Details
CWE
CWE-287
Status
published
Products (11)
org.springframework.security/spring-security-core
3.2.0 - 3.2.2.RELEASEMaven
Pivotal/Spring Security
3.1.0 to 3.1.5
Pivotal/Spring Security
3.2.0 to 3.2.1
vmware/spring_security
3.1.0
vmware/spring_security
3.1.1
vmware/spring_security
3.1.2
vmware/spring_security
3.1.3
vmware/spring_security
3.1.4
vmware/spring_security
3.1.5
vmware/spring_security
3.2.0
... and 1 more
Published
May 25, 2017
Tracked Since
Feb 18, 2026