The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: dell

Published: 2017-05-25T17:00:00

Updated: 2024-08-06T09:05:38.302Z

Reserved: 2013-12-03T00:00:00

Link: CVE-2014-0097

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2017-05-25T17:29:00.160

Modified: 2024-11-21T02:01:21.320

Link: CVE-2014-0097

cve-icon Redhat

Severity : Important

Publid Date: 2014-02-28T00:00:00Z

Links: CVE-2014-0097 - Bugzilla