CVE-2014-0097

EUVD-2022-4013
The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.3 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 54%
Affected Products (NVD)
VendorProductVersion
vmwarespring_security
3.1.0
vmwarespring_security
3.1.1
vmwarespring_security
3.1.2
vmwarespring_security
3.1.3
vmwarespring_security
3.1.4
vmwarespring_security
3.1.5
vmwarespring_security
3.2.0
vmwarespring_security
3.2.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libspring-java
bookworm
4.3.30-2
fixed
bullseye
4.3.30-1
fixed
sid
4.3.30-2
fixed
trixie
4.3.30-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libspring-java
lucid
dne
precise
not-affected
saucy
not-affected
trusty
not-affected
Common Weakness Enumeration
References
https://pivotal.io/security/cve-2014-0097
https://www.oracle.com/security-alerts/cpuapr2022.html
https://pivotal.io/security/cve-2014-0097
https://www.oracle.com/security-alerts/cpuapr2022.html