Authentication Flaw in Spring Security Affecting LDAP Users
CVE-2014-0097

7.3HIGH

Key Information:

Vendor

Pivotal

Vendor
CVE Published:
25 May 2017

What is CVE-2014-0097?

The ActiveDirectoryLdapAuthenticator component in Spring Security versions 3.1.x (3.1.0 to 3.1.5) and 3.2.x (3.2.0 to 3.2.1) contains a flaw in its password length validation. If the LDAP directory configuration permits anonymous binds, this vulnerability could allow unauthorized access by users who provide an empty password, thus posing security risks to sensitive information.

Affected Version(s)

Spring Security 3.2.0 to 3.2.1

Spring Security 3.1.0 to 3.1.5

References

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.