Spring Security through version 5.0.3, allows for direct modification of user passwords in the LdapUserDetailsManager.java:changePassword() function, which conflicts with RFC 3062 and allows for security configuration bypass. Upstream Issue: https://github.com/spring-projects/spring-security/issues/3392
Created springframework-security tracking bugs for this issue: Affects: fedora-all [bug 1553566]
Statement: This issue does not affect any versions of OpenDaylight as shipped with Red Hat OpenStack Platform (the flawed spring-security-ldap code is not packaged in OpenDaylight).