CVE-2014-0097
The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.
| Software | From | Fixed in |
|---|---|---|
| vmware / spring_security | 3.1.4 | 3.1.4.x |
| vmware / spring_security | 3.1.0 | 3.1.0.x |
| vmware / spring_security | 3.1.5 | 3.1.5.x |
| vmware / spring_security | 3.1.3 | 3.1.3.x |
| vmware / spring_security | 3.1.1 | 3.1.1.x |
| vmware / spring_security | 3.1.2 | 3.1.2.x |
| vmware / spring_security | 3.2.1 | 3.2.1.x |
| vmware / spring_security | 3.2.0 | 3.2.0.x |
org.springframework.security / spring-security-core
|
3.2.0 | 3.2.2.RELEASE |
|
org.springframework.security / spring-security-core
|
3.1.0 | 3.1.5.RELEASE |
- https://github.com/spring-projects/spring-security/commit/7dbb8e777ece8675f3333a1ef1cb4d6b9be80395
- https://github.com/spring-projects/spring-security/commit/88559882e967085c47a7e1dcbc4dc32c2c796868
- https://github.com/spring-projects/spring-security/commit/a7005bd74241ac8e2e7b38ae31bc4b0f641ef973
- https://jira.springsource.org/browse/SEC-2500
- https://pivotal.io/security/cve-2014-0097
- https://www.oracle.com/security-alerts/cpuapr2022.html
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime