It was discovered that spring-ldap would under some circumstances allow authentication with a correct username but an arbitrary password (CVE-2017-8028).
{ "section": "core" }
"https://advisories.mageia.org/MGASA-2018-0235.json"