Es sieht aus wie Sie aus Deutschland kommen . Wenn Sie die Pivotal Web Seite auf Deutsch anzeigen möchten, klicken Sie bitte auf die Flagge . Wenn nicht das Fenster zu schließen , und fahren in englischer Sprache.
あなたは、日本から来ているように見えます。あなたは日本語でピボタルWebサイトを表示したい場合は、フラグをクリック>し>てください。そうでない場合は、ウィンドウを閉じて、英語で進行する。

CVE-2014-0097 Blank password may bypass user authentication

Severity

Important

Vendor

Spring by Pivotal

Versions Affected
  • Spring Security 3.2.0 to 3.2.1
  • Spring Security 3.1.0 to 3.1.5
Description

The ActiveDirectoryLdapAuthenticator does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.

Mitigation

Users of affected versions should apply the following mitigation:

  • Users of 3.2.x should upgrade to 3.2.2 or later
  • Users of 3.1.x should upgrade to 3.1.6 or later
Credit

This issue was identified by the Spring Development team.

References

https://jira.springsource.org/browse/SEC-2500
https://github.com/spring-projects/spring-security/commit/88559882e967085c47a7e1dcbc4dc32c2c796868
https://github.com/spring-projects/spring-security/commit/7dbb8e777ece8675f3333a1ef1cb4d6b9be80395
https://github.com/spring-projects/spring-security/commit/a7005bd74241ac8e2e7b38ae31bc4b0f641ef973

History

2014-Mar-11: Initial vulnerability report published
2014-Mar-11: Affected versions corrected to add 3.1.0 to 3.1.5
2014-Jun-19: Add mitigation for 3.1.x users

Contact Pivotal
Pivotal Support