[SEC-2500] CVE-2014-0097: LDAP code may be vulnerable to anonymous bind issues with AD Created: 28/Feb/14  Updated: 11/Mar/14  Resolved: 11/Mar/14

Status: Closed
Project: Spring Security
Component/s: LDAP
Affects Version/s: 3.2.1
Fix Version/s: 3.1.6, 3.2.2
Security Level: Public

Type: Bug Priority: Critical
Reporter: Luke Taylor Assignee: Rob Winch
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


This resolves CVE-2014-0097 which allows a malicious user to impersonate a user with an empty password if ALL of the following hold true:

  • The application is using ActiveDirectoryLdapAuthenticator
  • The directory allows anonymous binds (not recommended)

NOTE: This does NOT impact users of LdapAuthenticationProvider or <ldap-authentication-provider>

There is already a check for an empty password when using normal LDAP authentication, but it is in BindAuthenticator, which is not used by ActiveDirectoryLdapAuthenticator. The latter has its own bind method which does not check the password length. If the directory allows anonymous binds (I'm not sure whether this is an issue with AD), then it may incorrectly authenticate a user who supplies an empty password.

The password length check should be moved to AbstractLdapAuthenticationProvide.authenticate.

Comment by Rob Winch [ 10/Mar/14 ]

This was fixed in the following commits

Generated at Fri Aug 14 15:11:18 UTC 2020 using Jira 8.5.4#805004-sha1:0444eab799707f9ad7b248d69f858774aadfd250.