CVE-2014-0097 Blank password may bypass user authentication


Severity

Important

Vendor

Spring by Pivotal

Versions Affected
  • Spring Security 3.2.0 to 3.2.1
  • Spring Security 3.1.0 to 3.1.5
Description

The ActiveDirectoryLdapAuthenticator does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.

Mitigation

Users of affected versions should apply the following mitigation:

  • Users of 3.2.x should upgrade to 3.2.2 or later
  • Users of 3.1.x should upgrade to 3.1.6 or later
Credit

This issue was identified by the Spring Development team.

References
History

2014-Mar-11: Initial vulnerability report published

2014-Mar-11: Affected versions corrected to add 3.1.0 to 3.1.5

2014-Jun-19: Add mitigation for 3.1.x users

Close
Glad You're Ready. Let's Get Started!

Let us know how we can contact you.

Thank you!

We'll respond shortly.