CVE-2014-0097 Vulnerability in maven package org.springframework.security:spring-security-ldap

Description

The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.

Remediation

References

https://pivotal.io/security/cve-2014-0097

https://www.oracle.com/security-alerts/cpuapr2022.html

Related Vulnerabilities

CVE-2016-0782 Vulnerability in maven package org.apache.activemq:activemq-web-console

CVE-2023-29213 Vulnerability in maven package org.xwiki.platform:xwiki-platform-logging-script

CVE-2012-3546 Vulnerability in maven package org.apache.tomcat:catalina

CVE-2019-17632 Vulnerability in maven package org.eclipse.jetty:jetty-server

CVE-2023-41329 Vulnerability in maven package com.github.tomakehurst:wiremock-jre8

Severity

High

Classification

CWE-287 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L