CVE-2014-0097
HIGH7.3EPSS 0.23%Improper Authentication in Spring Security
發布日:2022/5/13修改日:2023/11/8
描述
The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.
受影響套件(1)
- Maven/org.springframework.security:spring-security-core>= 3.2.0, < 3.2.2.RELEASE
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
參考連結(7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2014-0097
- WEBhttps://github.com/spring-projects/spring-security/commit/7dbb8e777ece8675f3333a1ef1cb4d6b9be80395
- WEBhttps://github.com/spring-projects/spring-security/commit/88559882e967085c47a7e1dcbc4dc32c2c796868
- WEBhttps://github.com/spring-projects/spring-security/commit/a7005bd74241ac8e2e7b38ae31bc4b0f641ef973
- WEBhttps://jira.springsource.org/browse/SEC-2500
- WEBhttps://pivotal.io/security/cve-2014-0097
- WEBhttps://www.oracle.com/security-alerts/cpuapr2022.html