CVE-2014-0097 – org.springframework.security:spring-security-core

Package

Manager: maven
Name: org.springframework.security:spring-security-core
Vulnerable Version: >=3.2.0 <3.2.2.release || >=3.1.0 <3.1.5.release

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00314 pctl0.53926

Details

Improper Authentication in Spring Security The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.

Metadata

Created: 2022-05-13T01:01:04Z
Modified: 2022-07-07T23:04:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-gv9v-c375-hvmg/GHSA-gv9v-c375-hvmg.json
CWE IDs: ["CWE-287"]
Alternative ID: GHSA-gv9v-c375-hvmg
Finding: F006
Auto approve: 1