[<prev] [next>] [day] [month] [year] [list]
Message-Id: <acac0dae-ea72-4a63-9cd6-ef01da127fb2@gopivotal.com>
Date: Tue, 11 Mar 2014 14:46:16 -0700 (PDT)
From: Pivotal Security Team <security@...ivotal.com>
To: security@...ivotal.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: CVE-2014-0097 Spring Security Blank password may bypass user
authentication
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2014-0097 Blank password may bypass user authentication
Severity: Important
Vendor: Spring by Pivotal
Versions Affected:
- - Spring Security 3.2.0 to 3.2.1
- - Spring Security 3.1.0 to 3.1.5
Description:
The ActiveDirectoryLdapAuthenticator does not check the password length. If the
directory allows anonymous binds then it may incorrectly authenticate a user who
supplies an empty password.
Mitigation:
Users of affected versions should apply the following mitigation:
- - Users of 3.2.x should upgrade to 3.2.2
Credit:
This issue was identified by the Spring Development team.
References:
http://www.gopivotal.com/security/cve-2014-0097
https://jira.springsource.org/browse/SEC-2500
https://github.com/spring-projects/spring-security/commit/88559882e967085c47a7e1dcbc4dc32c2c796868
https://github.com/spring-projects/spring-security/commit/7dbb8e777ece8675f3333a1ef1cb4d6b9be80395
https://github.com/spring-projects/spring-security/commit/a7005bd74241ac8e2e7b38ae31bc4b0f641ef973
History:
2014-Mar-11: Initial vulnerability report published.
2014-Mar-11: Affected versions corrected to add 3.1.0 to 3.1.5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32) - WinPT 1.2.0
iQIcBAEBAgAGBQJTH4PiAAoJEKSZXFdK82XakpEP/AofBt17ZjSs4MeFcgm/zt1e
tad8nNlYPRxjoUQYexNGLAu6JPIdaaZ1dZib+6vLwX3iKpMNq2dikkiVFk9qPSQY
It/o58+n3e+La5KiEKpUHUnFuUfaOrcI6iojDlb/tIRKZB3UR8c8X562rYNDsMAJ
QgAFaEvlxtNlB273Dq3AuIugpKB1E3Ivk2AFw9n7esutvKac42S8RaCw3FM+t8Hp
OsbkroB8OE9qfi/MSh4loLZDdHakYgRy/mdW/5FYzrnbiOUNIzeyph3KiWFb5col
ox2k9DEDsBbve/jATg/hsL0NvOIIqWA7mO+K/8XiGo4OnUkcDginCrEx01r36YLM
wHIfnjQp6tgngFMC1sJBqaYH5bQ4p6HSiYwWutUTRvRUoXDe3YvPra37lWtgVfAv
otYmZ8BZiQrzMiE5J1UIshekJV6dEhani3kyi3htCvOiBCS2+YMYzKgg16OgVcf5
JYmQKk/yE+ZEeWdTmM0gGK44axUQVNWZpG84JG/n7gDU+/yNO//93/vnID2JE5VK
CzAcP2fazzK4D2u5t1k7JNfArDJ82SrVjEzY0RuZiu+ui/32kidIJY757rMbPV1k
+wiE9429N4vsOisHavNladmUGl2vb5ImcVHiDy6ZyXyF8Xu4lE5YuhLzA5qZ4Ta/
n96+1qDQQZB4HhRKAnIZ
=XpO8
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists