CVE-2014-0097

The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.3 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
dellCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 54%
VendorProductVersion
vmwarespring_security
3.1.0
vmwarespring_security
3.1.1
vmwarespring_security
3.1.2
vmwarespring_security
3.1.3
vmwarespring_security
3.1.4
vmwarespring_security
3.1.5
vmwarespring_security
3.2.0
vmwarespring_security
3.2.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libspring-java
bullseye
4.3.30-1
fixed
sid
4.3.30-2
fixed
trixie
4.3.30-2
fixed
bookworm
4.3.30-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libspring-java
trusty
not-affected
saucy
not-affected
precise
not-affected
lucid
dne
Common Weakness Enumeration
References
https://pivotal.io/security/cve-2014-0097
https://www.oracle.com/security-alerts/cpuapr2022.html
https://pivotal.io/security/cve-2014-0097
https://www.oracle.com/security-alerts/cpuapr2022.html