CVE-2014-0097

CWE-287Improper Authentication8 documents7 sources
Severity
7.3HIGH
EPSS
0.2%
top 53.71%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Pivotal Spring SecurityVmware Spring Security
Timeline
PublishedMay 25
Latest updateMay 13

Description

The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 3.9 | Impact: 3.4

Affected Packages3 packages

Mavenorg.springframework.security:spring-security-core3.2.03.2.2.RELEASE+1
NVDvmware/spring_security8 versions+7
CVEListV5pivotal/spring_security3.1.0 to 3.1.5, 3.2.0 to 3.2.1+1

🔴Vulnerability Details

3
OSV
Improper Authentication in Spring Security2022-05-13
GHSA
Improper Authentication in Spring Security2022-05-13
CVEList
CVE-2014-0097: The ActiveDirectoryLdapAuthenticator in Spring Security 32017-05-25

📋Vendor Advisories

2
Red Hat
Framework: empty passwords may bypass authentication2014-02-28
Debian
CVE-2014-0097: libspring-java - The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0...2014

💬Community

2
Bugzilla
CVE-2014-0097 springframework-security: Spring Framework: empty passwords may bypass authentication [fedora-all]2014-03-12
Bugzilla
CVE-2014-0097 Spring Framework: empty passwords may bypass authentication2014-03-12