PT-2017-5773 · Spring · Spring Security

Publicado

2017-05-25

Atualizado

2022-05-13

CVE-2014-0097

CVSS v2.0

7.5

Alta

Vetor

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions: Spring Security versions 3.1.0 through 3.1.5 Spring Security versions 3.2.0 through 3.2.1

Description: The issue concerns the ActiveDirectoryLdapAuthenticator in Spring Security, which fails to check the password length. This can lead to incorrect user authentication if the directory allows anonymous binds and an empty password is supplied.

Recommendations: For Spring Security versions 3.1.0 through 3.1.5, update to a version that includes the fix for this issue. For Spring Security versions 3.2.0 through 3.2.1, update to a version that includes the fix for this issue. As a temporary workaround, consider configuring the directory to disallow anonymous binds until a patch is available.

Correção

Improper Authentication

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-287

Identificadores relacionados

CVE-2014-0097

GHSA-GV9V-C375-HVMG

Produtos afetados

Spring Security

PT-2017-5773 · Spring · Spring Security

CVE-2014-0097

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 8