Authentication Flaw in Spring Security Affecting LDAP Users
CVE-2014-0097
7.3HIGH
What is CVE-2014-0097?
The ActiveDirectoryLdapAuthenticator component in Spring Security versions 3.1.x (3.1.0 to 3.1.5) and 3.2.x (3.2.0 to 3.2.1) contains a flaw in its password length validation. If the LDAP directory configuration permits anonymous binds, this vulnerability could allow unauthorized access by users who provide an empty password, thus posing security risks to sensitive information.
Affected Version(s)
Spring Security 3.2.0 to 3.2.1
Spring Security 3.1.0 to 3.1.5
