CVE-2014-0097 Blank password may bypass user authentication
Vendor: Spring by Pivotal
- - Spring Security 3.2.0 to 3.2.1
- - Spring Security 3.1.0 to 3.1.5
The ActiveDirectoryLdapAuthenticator does not check the password length. If the
directory allows anonymous binds then it may incorrectly authenticate a user who
supplies an empty password.
Users of affected versions should apply the following mitigation:
- - Users of 3.2.x should upgrade to 3.2.2
This issue was identified by the Spring Development team.
2014-Mar-11: Initial vulnerability report published.
2014-Mar-11: Affected versions corrected to add 3.1.0 to 3.1.5