CVE-2014-0097 Blank password may bypass user authentication
Spring by Pivotal
- Spring Security 3.2.0 to 3.2.1
- Spring Security 3.1.0 to 3.1.5
The ActiveDirectoryLdapAuthenticator does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.
Users of affected versions should apply the following mitigation:
- Users of 3.2.x should upgrade to 3.2.2 or later
- Users of 3.1.x should upgrade to 3.1.6 or later
This issue was identified by the Spring Development team.
2014-Mar-11: Initial vulnerability report published
2014-Mar-11: Affected versions corrected to add 3.1.0 to 3.1.5
2014-Jun-19: Add mitigation for 3.1.x users