-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2014-0097 Blank password may bypass user authentication

Severity: Important

Vendor: Spring by Pivotal

Versions Affected:
- - Spring Security 3.2.0 to 3.2.1
- - Spring Security 3.1.0 to 3.1.5

Description:
The ActiveDirectoryLdapAuthenticator does not check the password length. If the
directory allows anonymous binds then it may incorrectly authenticate a user who
supplies an empty password.

Mitigation:
Users of affected versions should apply the following mitigation:
- - Users of 3.2.x should upgrade to 3.2.2

Credit:
This issue was identified by the Spring Development team.

References:
http://www.gopivotal.com/security/cve-2014-0097
https://jira.springsource.org/browse/SEC-2500
https://github.com/spring-projects/spring-security/commit/88559882e967085c47a7e1dcbc4dc32c2c796868
https://github.com/spring-projects/spring-security/commit/7dbb8e777ece8675f3333a1ef1cb4d6b9be80395
https://github.com/spring-projects/spring-security/commit/a7005bd74241ac8e2e7b38ae31bc4b0f641ef973

History:
2014-Mar-11: Initial vulnerability report published.
2014-Mar-11: Affected versions corrected to add 3.1.0 to 3.1.5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32) - WinPT 1.2.0

iQIcBAEBAgAGBQJTH4PiAAoJEKSZXFdK82XakpEP/AofBt17ZjSs4MeFcgm/zt1e
tad8nNlYPRxjoUQYexNGLAu6JPIdaaZ1dZib+6vLwX3iKpMNq2dikkiVFk9qPSQY
It/o58+n3e+La5KiEKpUHUnFuUfaOrcI6iojDlb/tIRKZB3UR8c8X562rYNDsMAJ
QgAFaEvlxtNlB273Dq3AuIugpKB1E3Ivk2AFw9n7esutvKac42S8RaCw3FM+t8Hp
OsbkroB8OE9qfi/MSh4loLZDdHakYgRy/mdW/5FYzrnbiOUNIzeyph3KiWFb5col
ox2k9DEDsBbve/jATg/hsL0NvOIIqWA7mO+K/8XiGo4OnUkcDginCrEx01r36YLM
wHIfnjQp6tgngFMC1sJBqaYH5bQ4p6HSiYwWutUTRvRUoXDe3YvPra37lWtgVfAv
otYmZ8BZiQrzMiE5J1UIshekJV6dEhani3kyi3htCvOiBCS2+YMYzKgg16OgVcf5
JYmQKk/yE+ZEeWdTmM0gGK44axUQVNWZpG84JG/n7gDU+/yNO//93/vnID2JE5VK
CzAcP2fazzK4D2u5t1k7JNfArDJ82SrVjEzY0RuZiu+ui/32kidIJY757rMbPV1k
+wiE9429N4vsOisHavNladmUGl2vb5ImcVHiDy6ZyXyF8Xu4lE5YuhLzA5qZ4Ta/
n96+1qDQQZB4HhRKAnIZ
=XpO8
-----END PGP SIGNATURE-----