What is the severity of CVE-2014-0097?

CVE-2014-0097 has a medium severity rating due to its potential to allow unauthorized access through empty password authentication.

How do I fix CVE-2014-0097?

To fix CVE-2014-0097, upgrade Spring Security to version 3.2.2 or later where the password length check is properly implemented.

Which versions are affected by CVE-2014-0097?

CVE-2014-0097 affects Spring Security versions 3.1.0 to 3.1.5 and 3.2.0 to 3.2.1.

What can happen if I don't address CVE-2014-0097?

If CVE-2014-0097 is not addressed, an attacker may gain access by exploiting the directory's allowance for anonymous binds with an empty password.

Is there a workaround for CVE-2014-0097?

A possible workaround for CVE-2014-0097 is to disable anonymous binds in your LDAP configuration.

Vulnerability/
CVE-2014-0097

high

7.5

CWE

287

25/5/2017

6/8/2024

CVE-2014-0097

First published: Thu May 25 2017(Updated: )

The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.

Credit: security_alert@emc.com

Affected Software	Affected Version	How to fix
VMware Spring Security	=3.1.0
VMware Spring Security	=3.1.1
VMware Spring Security	=3.1.2
VMware Spring Security	=3.1.3
VMware Spring Security	=3.1.4
VMware Spring Security	=3.1.5
VMware Spring Security	=3.2.0
VMware Spring Security	=3.2.1

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2014-0097?
CVE-2014-0097 has a medium severity rating due to its potential to allow unauthorized access through empty password authentication.
How do I fix CVE-2014-0097?
To fix CVE-2014-0097, upgrade Spring Security to version 3.2.2 or later where the password length check is properly implemented.
Which versions are affected by CVE-2014-0097?
CVE-2014-0097 affects Spring Security versions 3.1.0 to 3.1.5 and 3.2.0 to 3.2.1.
What can happen if I don't address CVE-2014-0097?
If CVE-2014-0097 is not addressed, an attacker may gain access by exploiting the directory's allowance for anonymous binds with an empty password.
Is there a workaround for CVE-2014-0097?
A possible workaround for CVE-2014-0097 is to disable anonymous binds in your LDAP configuration.

agent/references
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/author
agent/last-modified-date
agent/weakness
agent/severity
agent/description
agent/first-publish-date
agent/event
agent/source
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
vendor/vmware
canonical/vmware spring security
version/vmware spring security/3.1.0
version/vmware spring security/3.1.1
version/vmware spring security/3.1.2
version/vmware spring security/3.1.3
version/vmware spring security/3.1.4
version/vmware spring security/3.1.5
version/vmware spring security/3.2.0
version/vmware spring security/3.2.1

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.

Frequently Asked Questions

What is the severity of CVE-2014-0097?
CVE-2014-0097 has a medium severity rating due to its potential to allow unauthorized access through empty password authentication.
How do I fix CVE-2014-0097?
To fix CVE-2014-0097, upgrade Spring Security to version 3.2.2 or later where the password length check is properly implemented.
Which versions are affected by CVE-2014-0097?
CVE-2014-0097 affects Spring Security versions 3.1.0 to 3.1.5 and 3.2.0 to 3.2.1.
What can happen if I don't address CVE-2014-0097?
If CVE-2014-0097 is not addressed, an attacker may gain access by exploiting the directory's allowance for anonymous binds with an empty password.
Is there a workaround for CVE-2014-0097?
A possible workaround for CVE-2014-0097 is to disable anonymous binds in your LDAP configuration.