Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1ndjl2LWMzNzUtaHZtZ83mmg
Improper Authentication in Spring Security
The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.
Permalink: https://github.com/advisories/GHSA-gv9v-c375-hvmgJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ndjl2LWMzNzUtaHZtZ83mmg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 7.3
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Identifiers: GHSA-gv9v-c375-hvmg, CVE-2014-0097
References:
- https://nvd.nist.gov/vuln/detail/CVE-2014-0097
- https://pivotal.io/security/cve-2014-0097
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://github.com/spring-projects/spring-security/commit/7dbb8e777ece8675f3333a1ef1cb4d6b9be80395
- https://github.com/spring-projects/spring-security/commit/88559882e967085c47a7e1dcbc4dc32c2c796868
- https://github.com/spring-projects/spring-security/commit/a7005bd74241ac8e2e7b38ae31bc4b0f641ef973
- https://jira.springsource.org/browse/SEC-2500
- https://github.com/advisories/GHSA-gv9v-c375-hvmg
Blast Radius: 33.9
Affected Packages
maven:org.springframework.security:spring-security-core
Dependent packages: 1,940Dependent repositories: 44,289
Downloads:
Affected Version Ranges: >= 3.1.0, <= 3.1.4.RELEASE, >= 3.2.0, <= 3.2.1.RELEASE
Fixed in: 3.1.5.RELEASE, 3.2.2.RELEASE
All affected versions: 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.4.5, 5.4.6, 5.4.7, 5.4.8, 5.4.9, 5.4.10, 5.4.11, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 5.5.6, 5.5.7, 5.5.8, 5.6.0, 5.6.1, 5.6.2, 5.6.3, 5.6.4, 5.6.5, 5.6.6, 5.6.7, 5.6.8, 5.6.9, 5.6.10, 5.6.11, 5.6.12, 5.7.0, 5.7.1, 5.7.2, 5.7.3, 5.7.4, 5.7.5, 5.7.6, 5.7.7, 5.7.8, 5.7.9, 5.7.10, 5.7.11, 5.7.12, 5.8.0, 5.8.1, 5.8.2, 5.8.3, 5.8.4, 5.8.5, 5.8.6, 5.8.7, 5.8.8, 5.8.9, 5.8.10, 5.8.11, 5.8.12, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4
All unaffected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4