Spring Security 3.2.1 / 3.1.5 Authentication Bypass

2014-03-13
ID: 78089
CVE: None
Download vulnerable application: None
CVE-2014-0097 Blank password may bypass user authentication

Severity: Important

Vendor: Spring by Pivotal

Versions Affected:
- - Spring Security 3.2.0 to 3.2.1
- - Spring Security 3.1.0 to 3.1.5

Description:
The ActiveDirectoryLdapAuthenticator does not check the password length. If the
directory allows anonymous binds then it may incorrectly authenticate a user who
supplies an empty password.

Mitigation:
Users of affected versions should apply the following mitigation:
- - Users of 3.2.x should upgrade to 3.2.2

Credit:
This issue was identified by the Spring Development team.

References:
http://www.gopivotal.com/security/cve-2014-0097
https://jira.springsource.org/browse/SEC-2500
https://github.com/spring-projects/spring-security/commit/88559882e967085c47a7e1dcbc4dc32c2c796868
https://github.com/spring-projects/spring-security/commit/7dbb8e777ece8675f3333a1ef1cb4d6b9be80395
https://github.com/spring-projects/spring-security/commit/a7005bd74241ac8e2e7b38ae31bc4b0f641ef973

History:
2014-Mar-11: Initial vulnerability report published.
2014-Mar-11: Affected versions corrected to add 3.1.0 to 3.1.5
1-4-2 (www01)