CVE-2014-0097
UNKNOWN
Published 2017-05-25T17:00:00
Actions:
Expert Analysis
Professional remediation guidance
Get tailored security recommendations from our analyst team for CVE-2014-0097. We'll provide specific mitigation strategies based on your environment and risk profile.
No CVSS data available
Description
The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.
Available Exploits
No exploits available for this CVE.
Related News
No news articles found for this CVE.
Affected Products
Affected Versions:
GitHub Security Advisories
Community-driven vulnerability intelligence from GitHub
Advisory Details
The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.
Affected Packages
Maven
org.springframework.security:spring-security-core
ECOSYSTEM:
≥3.2.0
<3.2.2.RELEASE
Maven
org.springframework.security:spring-security-core
ECOSYSTEM:
≥3.1.0
<3.1.5.RELEASE
CVSS Scoring
CVSS Score
7.5
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
References
WEB
https://github.com/spring-projects/spring-security/commit/7dbb8e777ece8675f3333a1ef1cb4d6b9be80395
WEB
https://github.com/spring-projects/spring-security/commit/88559882e967085c47a7e1dcbc4dc32c2c796868
Advisory provided by GitHub Security Advisory Database. Published: May 13, 2022, Modified: July 7, 2022
References
Published: 2017-05-25T17:00:00
Last Modified: 2024-08-06T09:05:38.302Z
Copied to clipboard!