ghsa-gv9v-c375-hvmg
Vulnerability from github
Published
2022-05-13 01:01
Modified
2022-07-07 23:04
Severity
Summary
Improper Authentication in Spring Security
Details
The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.
{ "affected": [ { "database_specific": { "last_known_affected_version_range": "\u003c= 3.2.1.RELEASE" }, "package": { "ecosystem": "Maven", "name": "org.springframework.security:spring-security-core" }, "ranges": [ { "events": [ { "introduced": "3.2.0" }, { "fixed": "3.2.2.RELEASE" } ], "type": "ECOSYSTEM" } ] }, { "database_specific": { "last_known_affected_version_range": "\u003c= 3.1.4.RELEASE" }, "package": { "ecosystem": "Maven", "name": "org.springframework.security:spring-security-core" }, "ranges": [ { "events": [ { "introduced": "3.1.0" }, { "fixed": "3.1.5.RELEASE" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2014-0097" ], "database_specific": { "cwe_ids": [ "CWE-287" ], "github_reviewed": true, "github_reviewed_at": "2022-07-07T23:04:22Z", "nvd_published_at": "2017-05-25T17:29:00Z", "severity": "HIGH" }, "details": "The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.", "id": "GHSA-gv9v-c375-hvmg", "modified": "2022-07-07T23:04:22Z", "published": "2022-05-13T01:01:04Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0097" }, { "type": "WEB", "url": "https://github.com/spring-projects/spring-security/commit/7dbb8e777ece8675f3333a1ef1cb4d6b9be80395" }, { "type": "WEB", "url": "https://github.com/spring-projects/spring-security/commit/88559882e967085c47a7e1dcbc4dc32c2c796868" }, { "type": "WEB", "url": "https://github.com/spring-projects/spring-security/commit/a7005bd74241ac8e2e7b38ae31bc4b0f641ef973" }, { "type": "WEB", "url": "https://jira.springsource.org/browse/SEC-2500" }, { "type": "WEB", "url": "https://pivotal.io/security/cve-2014-0097" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "type": "CVSS_V3" } ], "summary": "Improper Authentication in Spring Security" }
Loading...