Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:30642
HistoryMay 05, 2014 - 12:00 a.m.

CVE-2014-0097 Spring Security Blank password may bypass user authentication

2014-05-0500:00:00
vulners.com
80
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2014-0097 Blank password may bypass user authentication

Severity: Important

Vendor: Spring by Pivotal

Versions Affected:

    • Spring Security 3.2.0 to 3.2.1
    • Spring Security 3.1.0 to 3.1.5

Description:
The ActiveDirectoryLdapAuthenticator does not check the password length. If the
directory allows anonymous binds then it may incorrectly authenticate a user who
supplies an empty password.

Mitigation:
Users of affected versions should apply the following mitigation:

    • Users of 3.2.x should upgrade to 3.2.2

Credit:
This issue was identified by the Spring Development team.

References:
http://www.gopivotal.com/security/cve-2014-0097
https://jira.springsource.org/browse/SEC-2500
https://github.com/spring-projects/spring-security/commit/88559882e967085c47a7e1dcbc4dc32c2c796868
https://github.com/spring-projects/spring-security/commit/7dbb8e777ece8675f3333a1ef1cb4d6b9be80395
https://github.com/spring-projects/spring-security/commit/a7005bd74241ac8e2e7b38ae31bc4b0f641ef973

History:
2014-Mar-11: Initial vulnerability report published.
2014-Mar-11: Affected versions corrected to add 3.1.0 to 3.1.5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32) - WinPT 1.2.0

iQIcBAEBAgAGBQJTH4PiAAoJEKSZXFdK82XakpEP/AofBt17ZjSs4MeFcgm/zt1e
tad8nNlYPRxjoUQYexNGLAu6JPIdaaZ1dZib+6vLwX3iKpMNq2dikkiVFk9qPSQY
It/o58+n3e+La5KiEKpUHUnFuUfaOrcI6iojDlb/tIRKZB3UR8c8X562rYNDsMAJ
QgAFaEvlxtNlB273Dq3AuIugpKB1E3Ivk2AFw9n7esutvKac42S8RaCw3FM+t8Hp
OsbkroB8OE9qfi/MSh4loLZDdHakYgRy/mdW/5FYzrnbiOUNIzeyph3KiWFb5col
ox2k9DEDsBbve/jATg/hsL0NvOIIqWA7mO+K/8XiGo4OnUkcDginCrEx01r36YLM
wHIfnjQp6tgngFMC1sJBqaYH5bQ4p6HSiYwWutUTRvRUoXDe3YvPra37lWtgVfAv
otYmZ8BZiQrzMiE5J1UIshekJV6dEhani3kyi3htCvOiBCS2+YMYzKgg16OgVcf5
JYmQKk/yE+ZEeWdTmM0gGK44axUQVNWZpG84JG/n7gDU+/yNO//93/vnID2JE5VK
CzAcP2fazzK4D2u5t1k7JNfArDJ82SrVjEzY0RuZiu+ui/32kidIJY757rMbPV1k
+wiE9429N4vsOisHavNladmUGl2vb5ImcVHiDy6ZyXyF8Xu4lE5YuhLzA5qZ4Ta/
n96+1qDQQZB4HhRKAnIZ
=XpO8
-----END PGP SIGNATURE-----

Related

fedora 4
nessus 2
github 1
openvas 6
ubuntucve 1
osv 1
prion 1
securityvulns 2
cve 1
debiancve 1
fedora
fedora
[SECURITY] Fedora 20 Update: springframework-security-3.1.6-1.fc20
2014-03-21 09:27:57
[SECURITY] Fedora 19 Update: springframework-security-3.1.6-1.fc19
2014-03-21 09:35:47
[SECURITY] Fedora 20 Update: springframework-security-3.1.7-1.fc20
2014-08-30 03:57:51
nessus
nessus
Fedora 20 : springframework-security-3.1.6-1.fc20 (2014-3811)
2014-03-22 00:00:00
Fedora 19 : springframework-security-3.1.6-1.fc19 (2014-3812)
2014-03-22 00:00:00
github
github
Improper Authentication in Spring Security
2022-05-13 01:01:04
openvas
openvas
Fedora Update for springframework-security FEDORA-2014-3812
2014-03-25 00:00:00
Fedora Update for springframework-security FEDORA-2014-3812
2014-03-25 00:00:00
Fedora Update for springframework-security FEDORA-2014-3811
2014-03-25 00:00:00
ubuntucve
ubuntucve
CVE-2014-0097
2017-05-25 00:00:00
osv
osv
Improper Authentication in Spring Security
2022-05-13 01:01:04
prion
prion
Design/Logic Flaw
2017-05-25 17:29:00
securityvulns
securityvulns
[SECURITY] CVE-2014-0097 Apache Tomcat information disclosure
2014-05-29 00:00:00
Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
2014-05-05 00:00:00
cve
cve
CVE-2014-0097
2017-05-25 17:29:00
debiancve
debiancve
CVE-2014-0097
2017-05-25 17:29:00
JSON
Related for SECURITYVULNS:DOC:30642
fedora4nessus2github1openvas6ubuntucve1osv1prion1securityvulns2cve1debiancve1