PT-2017-5773 · Spring · Spring Security

Published

2017-05-25

Updated

2022-05-13

CVE-2014-0097

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions: Spring Security versions 3.1.0 through 3.1.5 Spring Security versions 3.2.0 through 3.2.1

Description: The issue concerns the ActiveDirectoryLdapAuthenticator in Spring Security, which fails to check the password length. This can lead to incorrect user authentication if the directory allows anonymous binds and an empty password is supplied.

Recommendations: For Spring Security versions 3.1.0 through 3.1.5, update to a version that includes the fix for this issue. For Spring Security versions 3.2.0 through 3.2.1, update to a version that includes the fix for this issue. As a temporary workaround, consider configuring the directory to disallow anonymous binds until a patch is available.

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

CVE-2014-0097

GHSA-GV9V-C375-HVMG

Affected Products

Spring Security

PT-2017-5773 · Spring · Spring Security

CVE-2014-0097

Weakness Enumeration

Related Identifiers

Affected Products

References · 8