CVE-2017-8028

Name of the Vulnerable Software and Affected Versions Pivotal Spring-LDAP versions 1.3.0 through 2.3.1

Description The issue is related to authentication errors in the LDAP module of the Spring Security Java framework. When connected to certain LDAP servers and using the LDAP BindAuthenticator with the org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, authentication is allowed with an arbitrary password if the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect.

Recommendations For Pivotal Spring-LDAP versions 1.3.0 through 2.3.1, consider updating the authentication strategy to prevent authentication with arbitrary passwords. As a temporary workaround, restrict access to the LDAP BindAuthenticator until a patch is available. Additionally, review the configuration of the userSearch and authentication settings to ensure they are properly secured. At the moment, there is no information about a newer version that contains a fix for this vulnerability.