Spring LDAP Authentication Bypass Vulnerability with Empty Password

A vulnerability exists in Spring LDAP versions 2.4.0 through 2.4.4, 3.2.0 through 3.2.17, 3.3.0 through 3.3.7, and 4.0.0 through 4.0.3. The issue arises in the DirContextAuthenticationStrategy implementations, which fail to reject bind requests that contain a non-empty username paired with an empty or null password. This oversight allows an attacker to bypass password verification on LDAP servers that accept such unauthenticated binds, exploiting the vulnerability through AbstractContextSource, LdapTemplate, or LdapClient.

Impact

Exploitation of this vulnerability allows for authentication bypass, enabling attackers to authenticate with a valid username without a password on LDAP servers that permit such binds.

Remediation

Users should upgrade to Spring LDAP version 2.4.5, 3.2.18, 3.3.8, or 4.0.4, depending on their current version. Versions 2.4.5 and 3.2.18 are available through Enterprise Support only, while 3.3.8 and 4.0.4 are available as open-source.