High severity7.3NVD Advisory· Published May 25, 2017· Updated May 13, 2026

CVE-2014-0097

Description

The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.springframework.security:spring-security-coreMaven	>= 3.2.0, < 3.2.2.RELEASE	3.2.2.RELEASE
org.springframework.security:spring-security-coreMaven	>= 3.1.0, < 3.1.5.RELEASE	3.1.5.RELEASE

Affected products

VMware/Spring Security8 versions
cpe:2.3:a:vmware:spring_security:3.1.0:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:a:vmware:spring_security:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_security:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_security:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_security:3.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_security:3.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_security:3.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_security:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_security:3.2.1:*:*:*:*:*:*:*
Pivotal/Spring Securityv5
Range: 3.2.0 to 3.2.1

Patches

a7005bd74241

SEC-2500: Prevent anonymous bind for ActiveDirectoryLdapAuthenticator

https://github.com/spring-projects/spring-securityRob WinchMar 4, 2014via ghsa

commit

15 files changed · +40 −2

core/src/main/resources/org/springframework/security/messages_cs_CZ.properties+1 −0 modified

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=P\u0159\u00EDstup odep\u0159en
+AbstractLdapAuthenticationProvider.emptyPassword=\u0160patn\u00E9 p\u0159ihla\u0161ovac\u00ED \u00FAdaje
 AbstractSecurityInterceptor.authenticationNotFound=Nebyl nalezen \u017E\u00E1dn\u00FD Authentication objekt v SecurityContext
 AbstractUserDetailsAuthenticationProvider.badCredentials=\u0160patn\u00E9 p\u0159ihla\u0161ovac\u00ED \u00FAdaje
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=Platnost u\u017Eivatelsk\u00E9ho hesla vypr\u0161ela

core/src/main/resources/org/springframework/security/messages_de.properties+1 −0 modified

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=Zugriff verweigert
+AbstractLdapAuthenticationProvider.emptyPassword=Ung\u00FCltige Benutzerberechtigungen
 AbstractSecurityInterceptor.authenticationNotFound=Im SecurityContext wurde keine Authentifikation gefunden
 AbstractUserDetailsAuthenticationProvider.badCredentials=Ung\u00FCltige Benutzerberechtigungen
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=Die G\u00FCltigkeit der Benutzerberechtigungen ist abgelaufen

core/src/main/resources/org/springframework/security/messages_es_ES.properties+1 −0 modified

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=Acceso denegado
+AbstractLdapAuthenticationProvider.emptyPassword=Credenciales err\u00F3neas
 AbstractSecurityInterceptor.authenticationNotFound=El objeto Authentication no ha sido encontrado en el SecurityContext
 AbstractUserDetailsAuthenticationProvider.badCredentials=Credenciales err\u00F3neas
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=Las credenciales del usuario han expirado

core/src/main/resources/org/springframework/security/messages_fr.properties+1 −0 modified

@@ -3,6 +3,7 @@
 # Translation by Laurent Pireyn (laurent.pireyn@pisolutions.eu)
 # Translation by Valentin Crettaz (valentin.crettaz@consulthys.com)
 AbstractAccessDecisionManager.accessDenied=Acc\u00E8s refus\u00E9
+AbstractLdapAuthenticationProvider.emptyPassword=Le mot de passe est obligatoire
 AbstractSecurityInterceptor.authenticationNotFound=Aucun objet Authentication n'a \u00E9t\u00E9 trouv\u00E9 dans le SecurityContext
 AbstractUserDetailsAuthenticationProvider.badCredentials=Les identifications sont erron\u00E9es
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=Les identifications de l'utilisateur ont expir\u00E9

core/src/main/resources/org/springframework/security/messages_it.properties+1 −0 modified

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=Accesso negato
+AbstractLdapAuthenticationProvider.badCredentials=Credenziali non valide
 AbstractSecurityInterceptor.authenticationNotFound=Nessuna autenticazione trovata dentro il Security Context
 AbstractUserDetailsAuthenticationProvider.badCredentials=Credenziali non valide
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=Credenziali dell'utente scadute

core/src/main/resources/org/springframework/security/messages_ko_KR.properties+1 −0 modified

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=\uC811\uADFC\uC774 \uAC70\uBD80\uB418\uC5C8\uC2B5\uB2C8\uB2E4.
+AbstractLdapAuthenticationProvider.badCredentials=\uBE44\uBC00\uBC88\uD638\uAC00 \uB9DE\uC9C0 \uC54A\uC2B5\uB2C8\uB2E4.
 AbstractSecurityInterceptor.authenticationNotFound=SecurityContext\uC5D0\uC11C Authentication \uAC1D\uCCB4\uB97C \uCC3E\uC744 \uC218 \uC5C6\uC2B5\uB2C8\uB2E4.
 AbstractUserDetailsAuthenticationProvider.badCredentials=\uBE44\uBC00\uBC88\uD638(credential)\uAC00 \uB9DE\uC9C0 \uC54A\uC2B5\uB2C8\uB2E4.
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=\uBE44\uBC00\uBC88\uD638(credential)\uC758 \uC720\uD6A8 \uAE30\uAC04\uC774 \uB9CC\uB8CC\uB418\uC5C8\uC2B5\uB2C8\uB2E4.

core/src/main/resources/org/springframework/security/messages_lt.properties+1 −0 modified

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=Pri\u0117jimas neleid\u017eiamas
+AbstractLdapAuthenticationProvider.emptyPassword=Tu\u0161\u010dias slapta\u017eodis
 AbstractSecurityInterceptor.authenticationNotFound=Authentication objektas nerastas SecurityContext kontekste
 AbstractUserDetailsAuthenticationProvider.badCredentials=Blogi kredencialai
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=Pasibaig\u0117 vartotojo kredencial\u0173 galiojimas

core/src/main/resources/org/springframework/security/messages_pl.properties+1 −0 modified

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=Dost\u0119p zabroniony
+AbstractLdapAuthenticationProvider.emptyPassword=Niepoprawne dane uwierzytelniaj\u0105ce
 AbstractSecurityInterceptor.authenticationNotFound=Obiekt Authentication nie zosta\u0142 odnaleziony w SecurityContext
 AbstractUserDetailsAuthenticationProvider.badCredentials=Niepoprawne dane uwierzytelniaj\u0105ce
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=Wa\u017Cno\u015B\u0107 danych uwierzytelniaj\u0105cych wygas\u0142a

core/src/main/resources/org/springframework/security/messages.properties+1 −0 modified

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=Access is denied
+AbstractLdapAuthenticationProvider.emptyPassword=Empty Password
 AbstractSecurityInterceptor.authenticationNotFound=An Authentication object was not found in the SecurityContext
 AbstractUserDetailsAuthenticationProvider.badCredentials=Bad credentials
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=User credentials have expired

core/src/main/resources/org/springframework/security/messages_pt_BR.properties+1 −0 modified

@@ -2,6 +2,7 @@
 # Messages in Brazilian Portuguese
 # Translation by Leonardo Pinto (leoviveiros@gmail.com)
 AbstractAccessDecisionManager.accessDenied=Acesso negado
+AbstractLdapAuthenticationProvider.emptyPassword=Usu\u00E1rio inexistente ou senha inv\u00E1lida
 AbstractSecurityInterceptor.authenticationNotFound=Um objeto de autentica\u00E7\u00E3o n\u00E3o foi encontrado no SecurityContext
 AbstractUserDetailsAuthenticationProvider.badCredentials=Usu\u00E1rio inexistente ou senha inv\u00E1lida
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=Credenciais expiradas

core/src/main/resources/org/springframework/security/messages_pt_PT.properties+1 −0 modified

@@ -1,6 +1,7 @@
 # Spring Security Portuguese Resource Bundle
 # Author: Jos� Santos
 AbstractAccessDecisionManager.accessDenied=Acesso negado
+AbstractLdapAuthenticationProvider.emptyPassword=Credenciais inv\u00E1lidas
 AbstractSecurityInterceptor.authenticationNotFound=Objecto Authentication n\u00E3o encontrado em SecurityContext
 AbstractUserDetailsAuthenticationProvider.badCredentials=Credenciais inv\u00E1lidas
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=As credenciais do utilizador expiraram

core/src/main/resources/org/springframework/security/messages_uk_UA.properties+1 −0 modified

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=\u0414\u043E\u0441\u0442\u0443\u043F \u0437\u0430\u0431\u043E\u0440\u043E\u043D\u0435\u043D\u0438\u0439
+AbstractLdapAuthenticationProvider.emptyPassword=\u0414\u0430\u043D\u0456 \u043A\u043E\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 \u043D\u0435\u043A\u043E\u0440\u0435\u043A\u0442\u043D\u0456
 AbstractSecurityInterceptor.authenticationNotFound=\u041E\u0431'\u0454\u043A\u0442 Authentication \u043D\u0435 \u0437\u043D\u0430\u0439\u0434\u0435\u043D\u0438\u0439 \u0432 SecurityContext
 AbstractUserDetailsAuthenticationProvider.badCredentials=\u0414\u0430\u043D\u0456 \u043A\u043E\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 \u043D\u0435\u043A\u043E\u0440\u0435\u043A\u0442\u043D\u0456
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=\u041F\u043E\u0432\u043D\u043E\u0432\u0430\u0436\u0435\u043D\u043D\u044F \u043A\u043E\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 \u0432\u0438\u0447\u0435\u0440\u043F\u0430\u043B\u0438 \u0442\u0435\u0440\u043C\u0456\u043D \u0434\u0456\u0457

core/src/main/resources/org/springframework/security/messages_zh_CN.properties+1 −0 modified

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=\u4E0D\u5141\u8BB8\u8BBF\u95EE
+AbstractLdapAuthenticationProvider.emptyPassword=\u574F\u7684\u51ED\u8BC1
 AbstractSecurityInterceptor.authenticationNotFound=\u672A\u5728SecurityContext\u4E2D\u67E5\u627E\u5230\u8BA4\u8BC1\u5BF9\u8C61
 AbstractUserDetailsAuthenticationProvider.badCredentials=\u574F\u7684\u51ED\u8BC1
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=\u7528\u6237\u51ED\u8BC1\u5DF2\u8FC7\u671F

ldap/src/main/java/org/springframework/security/ldap/authentication/AbstractLdapAuthenticationProvider.java+20 −1 modified

@@ -1,4 +1,18 @@
-package org.springframework.security.ldap.authentication;
+/*
+ * Copyright 2002-2014 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */package org.springframework.security.ldap.authentication;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -56,6 +70,11 @@ public Authentication authenticate(Authentication authentication) throws Authent
                     "Empty Username"));
         }
 
+        if (!StringUtils.hasLength(password)) {
+            throw new BadCredentialsException(messages.getMessage("AbstractLdapAuthenticationProvider.emptyPassword",
+                    "Empty Password"));
+        }
+
         Assert.notNull(password, "Null password was supplied in authentication token");
 
         DirContextOperations userData = doAuthentication(userToken);

ldap/src/test/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProviderTests.java

+7 −1 modified

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2012 the original author or authors.
+ * Copyright 2002-2014 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
@@ -143,6 +143,12 @@ public void noUserSearchCausesUsernameNotFound() throws Exception {
         provider.authenticate(joe);
     }
 
+    // SEC-2500
+    @Test(expected = BadCredentialsException.class)
+    public void sec2500PreventAnonymousBind() {
+        provider.authenticate(new UsernamePasswordAuthenticationToken("rwinch", ""));
+    }
+
     @SuppressWarnings("unchecked")
     @Test(expected = IncorrectResultSizeDataAccessException.class)
     public void duplicateUserSearchCausesError() throws Exception {

7dbb8e777ece

SEC-2500: Prevent anonymous bind for ActiveDirectoryLdapAuthenticator

https://github.com/spring-projects/spring-securityRob WinchMar 4, 2014via ghsa

commit

15 files changed · +40 −2

core/src/main/resources/org/springframework/security/messages_cs_CZ.properties+1 −0 modified

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=P\u0159\u00EDstup odep\u0159en
+AbstractLdapAuthenticationProvider.emptyPassword=\u0160patn\u00E9 p\u0159ihla\u0161ovac\u00ED \u00FAdaje
 AbstractSecurityInterceptor.authenticationNotFound=Nebyl nalezen \u017E\u00E1dn\u00FD Authentication objekt v SecurityContext
 AbstractUserDetailsAuthenticationProvider.badCredentials=\u0160patn\u00E9 p\u0159ihla\u0161ovac\u00ED \u00FAdaje
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=Platnost u\u017Eivatelsk\u00E9ho hesla vypr\u0161ela

core/src/main/resources/org/springframework/security/messages_de.properties+1 −0 modified

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=Zugriff verweigert
+AbstractLdapAuthenticationProvider.emptyPassword=Ung\u00FCltige Benutzerberechtigungen
 AbstractSecurityInterceptor.authenticationNotFound=Im SecurityContext wurde keine Authentifikation gefunden
 AbstractUserDetailsAuthenticationProvider.badCredentials=Ung\u00FCltige Benutzerberechtigungen
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=Die G\u00FCltigkeit der Benutzerberechtigungen ist abgelaufen

core/src/main/resources/org/springframework/security/messages_es_ES.properties+1 −0 modified

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=Acceso denegado
+AbstractLdapAuthenticationProvider.emptyPassword=Credenciales err\u00F3neas
 AbstractSecurityInterceptor.authenticationNotFound=El objeto Authentication no ha sido encontrado en el SecurityContext
 AbstractUserDetailsAuthenticationProvider.badCredentials=Credenciales err\u00F3neas
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=Las credenciales del usuario han expirado

core/src/main/resources/org/springframework/security/messages_fr.properties+1 −0 modified

@@ -3,6 +3,7 @@
 # Translation by Laurent Pireyn (laurent.pireyn@pisolutions.eu)
 # Translation by Valentin Crettaz (valentin.crettaz@consulthys.com)
 AbstractAccessDecisionManager.accessDenied=Acc\u00E8s refus\u00E9
+AbstractLdapAuthenticationProvider.emptyPassword=Le mot de passe est obligatoire
 AbstractSecurityInterceptor.authenticationNotFound=Aucun objet Authentication n'a \u00E9t\u00E9 trouv\u00E9 dans le SecurityContext
 AbstractUserDetailsAuthenticationProvider.badCredentials=Les identifications sont erron\u00E9es
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=Les identifications de l'utilisateur ont expir\u00E9

core/src/main/resources/org/springframework/security/messages_it.properties+1 −0 modified

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=Accesso negato
+AbstractLdapAuthenticationProvider.badCredentials=Credenziali non valide
 AbstractSecurityInterceptor.authenticationNotFound=Nessuna autenticazione trovata dentro il Security Context
 AbstractUserDetailsAuthenticationProvider.badCredentials=Credenziali non valide
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=Credenziali dell'utente scadute

core/src/main/resources/org/springframework/security/messages_ko_KR.properties+1 −0 modified

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=\uC811\uADFC\uC774 \uAC70\uBD80\uB418\uC5C8\uC2B5\uB2C8\uB2E4.
+AbstractLdapAuthenticationProvider.badCredentials=\uBE44\uBC00\uBC88\uD638\uAC00 \uB9DE\uC9C0 \uC54A\uC2B5\uB2C8\uB2E4.
 AbstractSecurityInterceptor.authenticationNotFound=SecurityContext\uC5D0\uC11C Authentication \uAC1D\uCCB4\uB97C \uCC3E\uC744 \uC218 \uC5C6\uC2B5\uB2C8\uB2E4.
 AbstractUserDetailsAuthenticationProvider.badCredentials=\uBE44\uBC00\uBC88\uD638(credential)\uAC00 \uB9DE\uC9C0 \uC54A\uC2B5\uB2C8\uB2E4.
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=\uBE44\uBC00\uBC88\uD638(credential)\uC758 \uC720\uD6A8 \uAE30\uAC04\uC774 \uB9CC\uB8CC\uB418\uC5C8\uC2B5\uB2C8\uB2E4.

core/src/main/resources/org/springframework/security/messages_lt.properties+1 −0 modified

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=Pri\u0117jimas neleid\u017eiamas
+AbstractLdapAuthenticationProvider.emptyPassword=Tu\u0161\u010dias slapta\u017eodis
 AbstractSecurityInterceptor.authenticationNotFound=Authentication objektas nerastas SecurityContext kontekste
 AbstractUserDetailsAuthenticationProvider.badCredentials=Blogi kredencialai
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=Pasibaig\u0117 vartotojo kredencial\u0173 galiojimas

core/src/main/resources/org/springframework/security/messages_pl.properties+1 −0 modified

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=Dost\u0119p zabroniony
+AbstractLdapAuthenticationProvider.emptyPassword=Niepoprawne dane uwierzytelniaj\u0105ce
 AbstractSecurityInterceptor.authenticationNotFound=Obiekt Authentication nie zosta\u0142 odnaleziony w SecurityContext
 AbstractUserDetailsAuthenticationProvider.badCredentials=Niepoprawne dane uwierzytelniaj\u0105ce
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=Wa\u017Cno\u015B\u0107 danych uwierzytelniaj\u0105cych wygas\u0142a

core/src/main/resources/org/springframework/security/messages.properties+1 −0 modified

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=Access is denied
+AbstractLdapAuthenticationProvider.emptyPassword=Empty Password
 AbstractSecurityInterceptor.authenticationNotFound=An Authentication object was not found in the SecurityContext
 AbstractUserDetailsAuthenticationProvider.badCredentials=Bad credentials
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=User credentials have expired

core/src/main/resources/org/springframework/security/messages_pt_BR.properties+1 −0 modified

@@ -2,6 +2,7 @@
 # Messages in Brazilian Portuguese
 # Translation by Leonardo Pinto (leoviveiros@gmail.com)
 AbstractAccessDecisionManager.accessDenied=Acesso negado
+AbstractLdapAuthenticationProvider.emptyPassword=Usu\u00E1rio inexistente ou senha inv\u00E1lida
 AbstractSecurityInterceptor.authenticationNotFound=Um objeto de autentica\u00E7\u00E3o n\u00E3o foi encontrado no SecurityContext
 AbstractUserDetailsAuthenticationProvider.badCredentials=Usu\u00E1rio inexistente ou senha inv\u00E1lida
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=Credenciais expiradas

core/src/main/resources/org/springframework/security/messages_pt_PT.properties+1 −0 modified

@@ -1,6 +1,7 @@
 # Spring Security Portuguese Resource Bundle
 # Author: Jos� Santos
 AbstractAccessDecisionManager.accessDenied=Acesso negado
+AbstractLdapAuthenticationProvider.emptyPassword=Credenciais inv\u00E1lidas
 AbstractSecurityInterceptor.authenticationNotFound=Objecto Authentication n\u00E3o encontrado em SecurityContext
 AbstractUserDetailsAuthenticationProvider.badCredentials=Credenciais inv\u00E1lidas
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=As credenciais do utilizador expiraram

core/src/main/resources/org/springframework/security/messages_uk_UA.properties+1 −0 modified

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=\u0414\u043E\u0441\u0442\u0443\u043F \u0437\u0430\u0431\u043E\u0440\u043E\u043D\u0435\u043D\u0438\u0439
+AbstractLdapAuthenticationProvider.emptyPassword=\u0414\u0430\u043D\u0456 \u043A\u043E\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 \u043D\u0435\u043A\u043E\u0440\u0435\u043A\u0442\u043D\u0456
 AbstractSecurityInterceptor.authenticationNotFound=\u041E\u0431'\u0454\u043A\u0442 Authentication \u043D\u0435 \u0437\u043D\u0430\u0439\u0434\u0435\u043D\u0438\u0439 \u0432 SecurityContext
 AbstractUserDetailsAuthenticationProvider.badCredentials=\u0414\u0430\u043D\u0456 \u043A\u043E\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 \u043D\u0435\u043A\u043E\u0440\u0435\u043A\u0442\u043D\u0456
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=\u041F\u043E\u0432\u043D\u043E\u0432\u0430\u0436\u0435\u043D\u043D\u044F \u043A\u043E\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 \u0432\u0438\u0447\u0435\u0440\u043F\u0430\u043B\u0438 \u0442\u0435\u0440\u043C\u0456\u043D \u0434\u0456\u0457

core/src/main/resources/org/springframework/security/messages_zh_CN.properties+1 −0 modified

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=\u4E0D\u5141\u8BB8\u8BBF\u95EE
+AbstractLdapAuthenticationProvider.emptyPassword=\u574F\u7684\u51ED\u8BC1
 AbstractSecurityInterceptor.authenticationNotFound=\u672A\u5728SecurityContext\u4E2D\u67E5\u627E\u5230\u8BA4\u8BC1\u5BF9\u8C61
 AbstractUserDetailsAuthenticationProvider.badCredentials=\u574F\u7684\u51ED\u8BC1
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=\u7528\u6237\u51ED\u8BC1\u5DF2\u8FC7\u671F

ldap/src/main/java/org/springframework/security/ldap/authentication/AbstractLdapAuthenticationProvider.java+20 −1 modified

@@ -1,4 +1,18 @@
-package org.springframework.security.ldap.authentication;
+/*
+ * Copyright 2002-2014 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */package org.springframework.security.ldap.authentication;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -56,6 +70,11 @@ public Authentication authenticate(Authentication authentication) throws Authent
                     "Empty Username"));
         }
 
+        if (!StringUtils.hasLength(password)) {
+            throw new BadCredentialsException(messages.getMessage("AbstractLdapAuthenticationProvider.emptyPassword",
+                    "Empty Password"));
+        }
+
         Assert.notNull(password, "Null password was supplied in authentication token");
 
         DirContextOperations userData = doAuthentication(userToken);

ldap/src/test/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProviderTests.java

+7 −1 modified

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2012 the original author or authors.
+ * Copyright 2002-2014 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
@@ -143,6 +143,12 @@ public void noUserSearchCausesUsernameNotFound() throws Exception {
         provider.authenticate(joe);
     }
 
+    // SEC-2500
+    @Test(expected = BadCredentialsException.class)
+    public void sec2500PreventAnonymousBind() {
+        provider.authenticate(new UsernamePasswordAuthenticationToken("rwinch", ""));
+    }
+
     @SuppressWarnings("unchecked")
     @Test(expected = IncorrectResultSizeDataAccessException.class)
     public void duplicateUserSearchCausesError() throws Exception {

88559882e967

SEC-2500: Prevent anonymous bind for ActiveDirectoryLdapAuthenticator

https://github.com/spring-projects/spring-securityRob WinchMar 4, 2014via ghsa

commit

15 files changed · +40 −2

core/src/main/resources/org/springframework/security/messages_cs_CZ.properties+1 −0 modified

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=P\u0159\u00EDstup odep\u0159en
+AbstractLdapAuthenticationProvider.emptyPassword=\u0160patn\u00E9 p\u0159ihla\u0161ovac\u00ED \u00FAdaje
 AbstractSecurityInterceptor.authenticationNotFound=Nebyl nalezen \u017E\u00E1dn\u00FD Authentication objekt v SecurityContext
 AbstractUserDetailsAuthenticationProvider.badCredentials=\u0160patn\u00E9 p\u0159ihla\u0161ovac\u00ED \u00FAdaje
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=Platnost u\u017Eivatelsk\u00E9ho hesla vypr\u0161ela

core/src/main/resources/org/springframework/security/messages_de.properties+1 −0 modified

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=Zugriff verweigert
+AbstractLdapAuthenticationProvider.emptyPassword=Ung\u00FCltige Benutzerberechtigungen
 AbstractSecurityInterceptor.authenticationNotFound=Im SecurityContext wurde keine Authentifikation gefunden
 AbstractUserDetailsAuthenticationProvider.badCredentials=Ung\u00FCltige Benutzerberechtigungen
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=Die G\u00FCltigkeit der Benutzerberechtigungen ist abgelaufen

core/src/main/resources/org/springframework/security/messages_es_ES.properties+1 −0 modified

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=Acceso denegado
+AbstractLdapAuthenticationProvider.emptyPassword=Credenciales err\u00F3neas
 AbstractSecurityInterceptor.authenticationNotFound=El objeto Authentication no ha sido encontrado en el SecurityContext
 AbstractUserDetailsAuthenticationProvider.badCredentials=Credenciales err\u00F3neas
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=Las credenciales del usuario han expirado

core/src/main/resources/org/springframework/security/messages_fr.properties+1 −0 modified

@@ -3,6 +3,7 @@
 # Translation by Laurent Pireyn (laurent.pireyn@pisolutions.eu)
 # Translation by Valentin Crettaz (valentin.crettaz@consulthys.com)
 AbstractAccessDecisionManager.accessDenied=Acc\u00E8s refus\u00E9
+AbstractLdapAuthenticationProvider.emptyPassword=Le mot de passe est obligatoire
 AbstractSecurityInterceptor.authenticationNotFound=Aucun objet Authentication n'a \u00E9t\u00E9 trouv\u00E9 dans le SecurityContext
 AbstractUserDetailsAuthenticationProvider.badCredentials=Les cr\u00E9ances sont erron\u00E9es
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=Les cr\u00E9ances de l'utilisateur ont expir\u00E9

core/src/main/resources/org/springframework/security/messages_it.properties+1 −0 modified

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=Accesso negato
+AbstractLdapAuthenticationProvider.badCredentials=Credenziali non valide
 AbstractSecurityInterceptor.authenticationNotFound=Nessuna autenticazione trovata dentro il Security Context
 AbstractUserDetailsAuthenticationProvider.badCredentials=Credenziali non valide
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=Credenziali dell'utente scadute

core/src/main/resources/org/springframework/security/messages_ko_KR.properties+1 −0 modified

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=\uC811\uADFC\uC774 \uAC70\uBD80\uB418\uC5C8\uC2B5\uB2C8\uB2E4.
+AbstractLdapAuthenticationProvider.badCredentials=\uBE44\uBC00\uBC88\uD638\uAC00 \uB9DE\uC9C0 \uC54A\uC2B5\uB2C8\uB2E4.
 AbstractSecurityInterceptor.authenticationNotFound=SecurityContext\uC5D0\uC11C Authentication \uAC1D\uCCB4\uB97C \uCC3E\uC744 \uC218 \uC5C6\uC2B5\uB2C8\uB2E4.
 AbstractUserDetailsAuthenticationProvider.badCredentials=\uBE44\uBC00\uBC88\uD638(credential)\uAC00 \uB9DE\uC9C0 \uC54A\uC2B5\uB2C8\uB2E4.
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=\uBE44\uBC00\uBC88\uD638(credential)\uC758 \uC720\uD6A8 \uAE30\uAC04\uC774 \uB9CC\uB8CC\uB418\uC5C8\uC2B5\uB2C8\uB2E4.

core/src/main/resources/org/springframework/security/messages_lt.properties+1 −0 modified

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=Pri\u0117jimas neleid\u017eiamas
+AbstractLdapAuthenticationProvider.emptyPassword=Tu\u0161\u010dias slapta\u017eodis
 AbstractSecurityInterceptor.authenticationNotFound=Authentication objektas nerastas SecurityContext kontekste
 AbstractUserDetailsAuthenticationProvider.badCredentials=Blogi kredencialai
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=Pasibaig\u0117 vartotojo kredencial\u0173 galiojimas

core/src/main/resources/org/springframework/security/messages_pl.properties+1 −0 modified

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=Dost\u0119p zabroniony
+AbstractLdapAuthenticationProvider.emptyPassword=Niepoprawne dane uwierzytelniaj\u0105ce
 AbstractSecurityInterceptor.authenticationNotFound=Obiekt Authentication nie zosta\u0142 odnaleziony w SecurityContext
 AbstractUserDetailsAuthenticationProvider.badCredentials=Niepoprawne dane uwierzytelniaj\u0105ce
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=Wa\u017Cno\u015B\u0107 danych uwierzytelniaj\u0105cych wygas\u0142a

core/src/main/resources/org/springframework/security/messages.properties+1 −0 modified

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=Access is denied
+AbstractLdapAuthenticationProvider.emptyPassword=Empty Password
 AbstractSecurityInterceptor.authenticationNotFound=An Authentication object was not found in the SecurityContext
 AbstractUserDetailsAuthenticationProvider.badCredentials=Bad credentials
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=User credentials have expired

core/src/main/resources/org/springframework/security/messages_pt_BR.properties+1 −0 modified

@@ -2,6 +2,7 @@
 # Messages in Brazilian Portuguese
 # Translation by Leonardo Pinto (leoviveiros@gmail.com)
 AbstractAccessDecisionManager.accessDenied=Acesso negado
+AbstractLdapAuthenticationProvider.emptyPassword=Usu\u00E1rio inexistente ou senha inv\u00E1lida
 AbstractSecurityInterceptor.authenticationNotFound=Um objeto de autentica\u00E7\u00E3o n\u00E3o foi encontrado no SecurityContext
 AbstractUserDetailsAuthenticationProvider.badCredentials=Usu\u00E1rio inexistente ou senha inv\u00E1lida
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=Credenciais expiradas

core/src/main/resources/org/springframework/security/messages_pt_PT.properties+1 −0 modified

@@ -1,6 +1,7 @@
 # Spring Security Portuguese Resource Bundle
 # Author: Jos� Santos
 AbstractAccessDecisionManager.accessDenied=Acesso negado
+AbstractLdapAuthenticationProvider.emptyPassword=Credenciais inv\u00E1lidas
 AbstractSecurityInterceptor.authenticationNotFound=Objecto Authentication n\u00E3o encontrado em SecurityContext
 AbstractUserDetailsAuthenticationProvider.badCredentials=Credenciais inv\u00E1lidas
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=As credenciais do utilizador expiraram

core/src/main/resources/org/springframework/security/messages_uk_UA.properties+1 −0 modified

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=\u0414\u043E\u0441\u0442\u0443\u043F \u0437\u0430\u0431\u043E\u0440\u043E\u043D\u0435\u043D\u0438\u0439
+AbstractLdapAuthenticationProvider.emptyPassword=\u0414\u0430\u043D\u0456 \u043A\u043E\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 \u043D\u0435\u043A\u043E\u0440\u0435\u043A\u0442\u043D\u0456
 AbstractSecurityInterceptor.authenticationNotFound=\u041E\u0431'\u0454\u043A\u0442 Authentication \u043D\u0435 \u0437\u043D\u0430\u0439\u0434\u0435\u043D\u0438\u0439 \u0432 SecurityContext
 AbstractUserDetailsAuthenticationProvider.badCredentials=\u0414\u0430\u043D\u0456 \u043A\u043E\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 \u043D\u0435\u043A\u043E\u0440\u0435\u043A\u0442\u043D\u0456
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=\u041F\u043E\u0432\u043D\u043E\u0432\u0430\u0436\u0435\u043D\u043D\u044F \u043A\u043E\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 \u0432\u0438\u0447\u0435\u0440\u043F\u0430\u043B\u0438 \u0442\u0435\u0440\u043C\u0456\u043D \u0434\u0456\u0457

core/src/main/resources/org/springframework/security/messages_zh_CN.properties+1 −0 modified

@@ -1,4 +1,5 @@
 AbstractAccessDecisionManager.accessDenied=\u4E0D\u5141\u8BB8\u8BBF\u95EE
+AbstractLdapAuthenticationProvider.emptyPassword=\u574F\u7684\u51ED\u8BC1
 AbstractSecurityInterceptor.authenticationNotFound=\u672A\u5728SecurityContext\u4E2D\u67E5\u627E\u5230\u8BA4\u8BC1\u5BF9\u8C61
 AbstractUserDetailsAuthenticationProvider.badCredentials=\u574F\u7684\u51ED\u8BC1
 AbstractUserDetailsAuthenticationProvider.credentialsExpired=\u7528\u6237\u51ED\u8BC1\u5DF2\u8FC7\u671F

ldap/src/main/java/org/springframework/security/ldap/authentication/AbstractLdapAuthenticationProvider.java+20 −1 modified

@@ -1,4 +1,18 @@
-package org.springframework.security.ldap.authentication;
+/*
+ * Copyright 2002-2014 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */package org.springframework.security.ldap.authentication;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -56,6 +70,11 @@ public Authentication authenticate(Authentication authentication) throws Authent
                     "Empty Username"));
         }
 
+        if (!StringUtils.hasLength(password)) {
+            throw new BadCredentialsException(messages.getMessage("AbstractLdapAuthenticationProvider.emptyPassword",
+                    "Empty Password"));
+        }
+
         Assert.notNull(password, "Null password was supplied in authentication token");
 
         DirContextOperations userData = doAuthentication(userToken);

ldap/src/test/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProviderTests.java

+7 −1 modified

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2012 the original author or authors.
+ * Copyright 2002-2014 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
@@ -141,6 +141,12 @@ public void noUserSearchCausesUsernameNotFound() throws Exception {
         provider.authenticate(joe);
     }
 
+    // SEC-2500
+    @Test(expected = BadCredentialsException.class)
+    public void sec2500PreventAnonymousBind() {
+        provider.authenticate(new UsernamePasswordAuthenticationToken("rwinch", ""));
+    }
+
     @SuppressWarnings("unchecked")
     @Test(expected = IncorrectResultSizeDataAccessException.class)
     public void duplicateUserSearchCausesError() throws Exception {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-gv9v-c375-hvmgghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2014-0097ghsaADVISORY
pivotal.io/security/cve-2014-0097nvdVendor AdvisoryWEB
github.com/spring-projects/spring-security/commit/7dbb8e777ece8675f3333a1ef1cb4d6b9be80395ghsaWEB
github.com/spring-projects/spring-security/commit/88559882e967085c47a7e1dcbc4dc32c2c796868ghsaWEB
github.com/spring-projects/spring-security/commit/a7005bd74241ac8e2e7b38ae31bc4b0f641ef973ghsaWEB
jira.springsource.org/browse/SEC-2500ghsaWEB
www.oracle.com/security-alerts/cpuapr2022.htmlnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.474
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000