-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2014-0097 Blank password may bypass user authentication Severity: Important Vendor: Spring by Pivotal Versions Affected: - - Spring Security 3.2.0 to 3.2.1 - - Spring Security 3.1.0 to 3.1.5 Description: The ActiveDirectoryLdapAuthenticator does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password. Mitigation: Users of affected versions should apply the following mitigation: - - Users of 3.2.x should upgrade to 3.2.2 Credit: This issue was identified by the Spring Development team. References: http://www.gopivotal.com/security/cve-2014-0097 https://jira.springsource.org/browse/SEC-2500 https://github.com/spring-projects/spring-security/commit/88559882e967085c47a7e1dcbc4dc32c2c796868 https://github.com/spring-projects/spring-security/commit/7dbb8e777ece8675f3333a1ef1cb4d6b9be80395 https://github.com/spring-projects/spring-security/commit/a7005bd74241ac8e2e7b38ae31bc4b0f641ef973 History: 2014-Mar-11: Initial vulnerability report published. 2014-Mar-11: Affected versions corrected to add 3.1.0 to 3.1.5 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) - WinPT 1.2.0 iQIcBAEBAgAGBQJTH4PiAAoJEKSZXFdK82XakpEP/AofBt17ZjSs4MeFcgm/zt1e tad8nNlYPRxjoUQYexNGLAu6JPIdaaZ1dZib+6vLwX3iKpMNq2dikkiVFk9qPSQY It/o58+n3e+La5KiEKpUHUnFuUfaOrcI6iojDlb/tIRKZB3UR8c8X562rYNDsMAJ QgAFaEvlxtNlB273Dq3AuIugpKB1E3Ivk2AFw9n7esutvKac42S8RaCw3FM+t8Hp OsbkroB8OE9qfi/MSh4loLZDdHakYgRy/mdW/5FYzrnbiOUNIzeyph3KiWFb5col ox2k9DEDsBbve/jATg/hsL0NvOIIqWA7mO+K/8XiGo4OnUkcDginCrEx01r36YLM wHIfnjQp6tgngFMC1sJBqaYH5bQ4p6HSiYwWutUTRvRUoXDe3YvPra37lWtgVfAv otYmZ8BZiQrzMiE5J1UIshekJV6dEhani3kyi3htCvOiBCS2+YMYzKgg16OgVcf5 JYmQKk/yE+ZEeWdTmM0gGK44axUQVNWZpG84JG/n7gDU+/yNO//93/vnID2JE5VK CzAcP2fazzK4D2u5t1k7JNfArDJ82SrVjEzY0RuZiu+ui/32kidIJY757rMbPV1k +wiE9429N4vsOisHavNladmUGl2vb5ImcVHiDy6ZyXyF8Xu4lE5YuhLzA5qZ4Ta/ n96+1qDQQZB4HhRKAnIZ =XpO8 -----END PGP SIGNATURE-----