It was found that empty passwords could bypass authentication. From the original advisory: "The ActiveDirectoryLdapAuthenticator does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password." This issue affects versions 3.2.0 to 3.2.1, and versions 3.1.0 to 3.1.5. External References: http://www.gopivotal.com/security/cve-2014-0097
Created springframework-security tracking bugs for this issue: Affects: fedora-all [bug 1075303]
Statement: Not Vulnerable. This issue does not affect Spring as shipped with various Red Hat products.