Connect with sales  +1 877-586-1965

By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2014-0097

Authorization Bypass
Affects
Spring Security
>=3.1.0 <3.1.6, >=3.2.0 <3.2.2
in
Spring
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs
View NES Solution

Overview

Spring Security is a comprehensive Java security framework for securing enterprise-level applications. It provides a powerful, flexible programming model that simplifies the development of secure applications by allowing you to manage authentication, authorization, and other security concerns with ease. Spring Security integrates seamlessly with the Spring Framework, offering robust tools for configuring access controls, managing user roles, and protecting resources, all while allowing Java to be your primary language for application development.

An Authentication Bypass vulnerability (CVE-2014-0097) has been identified in Spring Security’s ActiveDirectoryLdapAuthenticator component. The vulnerability occurs because the component does not check the length of the password provided during authentication. If the LDAP directory allows anonymous binds, an attacker can authenticate with an empty password, potentially gaining unauthorized access. This flaw can compromise the security of the application and lead to further exploitation of sensitive data or services. 

Per Common Attack Pattern Enumeration and Classification CAPEC-115: Authentication Bypass is when an attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.

This issue affects versions from 3.1.0 to 3.1.5 and 3.2.0 to 3.2.1 of spring-security-ldap from Spring Security.

Details

Module Info

Vulnerability Info

The ActiveDirectoryLdapAuthenticator in Spring Security fails to properly check password length, allowing attackers to bypass authentication mechanisms if the LDAP server allows anonymous bind. Exploiting this vulnerability, attackers could gain unauthorized access to applications that rely on Spring Security for authentication.

Credits

Mitigation

Spring Security 4.2.x is no longer community-supported. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to supported versions of Spring Security.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Pink arrow
Pink arrow
CVE-2014-0097
CVE-2019-3795
CVE-2019-11272
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20883
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2014-0097
PROJECT Affected
Spring Security
Versions Affected
>=3.1.0 <3.1.6, >=3.2.0 <3.2.2
Published date
March 11, 2014
≈ Fix date
March 11, 2014
Fixed in
NES for Spring
Severity
High
Category
Authorization Bypass