CVE-2014-0097

Publication date 25 May 2017

Last updated 25 August 2025

Ubuntu priority

Medium

Why this priority?

Cvss 3 Severity Score

7.3 · High

Score breakdown

Description

The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.

Read the notes from the security team

Status

Package Ubuntu Release Status
libspring-java 14.04 LTS trusty
Not affected
13.10 saucy
Not affected
12.04 LTS precise
Not affected
10.04 LTS lucid Not in release

Notes

seth-arnold

ActiveDirectoryLdapAuthenticator introduced in 3.1

Severity score breakdown

CVSS version: CVSS v3.0

Base score 7.3 · High

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References

Other references

Access our resources on patching vulnerabilities