Red Hat Bugzilla – Bug 1075302
CVE-2014-0097 Spring Framework: empty passwords may bypass authentication
Last modified: 2015-01-04 17:39:02 EST
It was found that empty passwords could bypass authentication. From the original advisory:
"The ActiveDirectoryLdapAuthenticator does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password."
This issue affects versions 3.2.0 to 3.2.1, and versions 3.1.0 to 3.1.5.
Created springframework-security tracking bugs for this issue:
Affects: fedora-all [bug 1075303]
Not Vulnerable. This issue does not affect Spring as shipped with various Red Hat products.