High severity8.1NVD Advisory· Published Nov 27, 2017· Updated May 13, 2026

CVE-2017-8028

Description

In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.springframework.ldap:spring-ldap-coreMaven	>= 1.3.0, < 2.3.2	2.3.2

Affected products

Pivotal Software/Spring LDAP14 versions
cpe:2.3:a:pivotal_software:spring-ldap:1.3.0:*:*:*:*:*:*:*+ 13 more
- cpe:2.3:a:pivotal_software:spring-ldap:1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal_software:spring-ldap:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal_software:spring-ldap:1.3.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:pivotal_software:spring-ldap:1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal_software:spring-ldap:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal_software:spring-ldap:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal_software:spring-ldap:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal_software:spring-ldap:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal_software:spring-ldap:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal_software:spring-ldap:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal_software:spring-ldap:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal_software:spring-ldap:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal_software:spring-ldap:2.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal_software:spring-ldap:2.3.1:*:*:*:*:*:*:*
Debian/Debian Linux
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
N/A/Spring LDAP Spring LDAP Versions 1.3.0 2.3.1v5
Range: Spring-LDAP Spring-LDAP versions 1.3.0 2.3.1

Patches

08e8ae289bbd

Force reconnect with credentials on DefaultTlsDirContextAuthenticationStrategy

https://github.com/spring-projects/spring-ldapTobias SchneiderNov 25, 2016via ghsa

commit

1 file changed · +2 −0

core/src/main/java/org/springframework/ldap/core/support/DefaultTlsDirContextAuthenticationStrategy.java+2 −0 modified

@@ -36,6 +36,8 @@ protected void applyAuthentication(LdapContext ctx, String userDn, String passwo
 		ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, SIMPLE_AUTHENTICATION);

 		ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, userDn);

 		ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password);

+		// Force reconnect with user credentials

+		ctx.reconnect(null);

 	}

 

 }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-pjqh-2jcc-5j84ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-8028ghsaADVISORY
pivotal.io/security/cve-2017-8028nvdIssue TrackingVendor AdvisoryWEB
www.debian.org/security/2017/dsa-4046nvdIssue TrackingThird Party AdvisoryWEB
access.redhat.com/errata/RHSA-2018:0319nvdWEB
github.com/spring-projects/spring-ldap/commit/08e8ae289bbd1b581986c7238604a147119c1336ghsaWEB
lists.debian.org/debian-lts-announce/2017/11/msg00026.htmlnvdWEB
www.oracle.com/security-alerts/cpujan2021.htmlnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.526
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000