GHSA-gv9v-c375-hvmg
Suggest an improvement- Source
- https://github.com/advisories/GHSA-gv9v-c375-hvmg
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-gv9v-c375-hvmg/GHSA-gv9v-c375-hvmg.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-gv9v-c375-hvmg
- Aliases
-
- CVE-2014-0097
- Published
- 2022-05-13T01:01:04Z
- Modified
- 2023-11-08T03:57:31.262737Z
- Severity
-
- 7.3 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
- Summary
- Improper Authentication in Spring Security
- Details
-
The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.
- Database specific
{ "nvd_published_at": "2017-05-25T17:29:00Z", "github_reviewed_at": "2022-07-07T23:04:22Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-287" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2014-0097
- https://github.com/spring-projects/spring-security/commit/7dbb8e777ece8675f3333a1ef1cb4d6b9be80395
- https://github.com/spring-projects/spring-security/commit/88559882e967085c47a7e1dcbc4dc32c2c796868
- https://github.com/spring-projects/spring-security/commit/a7005bd74241ac8e2e7b38ae31bc4b0f641ef973
- https://jira.springsource.org/browse/SEC-2500
- https://pivotal.io/security/cve-2014-0097
- https://www.oracle.com/security-alerts/cpuapr2022.html
Affected packages
Maven / org.springframework.security:spring-security-core
Package
- Name
- org.springframework.security:spring-security-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.springframework.security/spring-security-core
Maven / org.springframework.security:spring-security-core
Package
- Name
- org.springframework.security:spring-security-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.springframework.security/spring-security-core