Refine your search
2 vulnerabilities found for Spring LDAP by Spring
CVE-2026-41720 (GCVE-0-2026-41720)
Vulnerability from cvelistv5
Published
2026-06-09 03:48
Modified
2026-06-10 03:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
Spring LDAP's DirContextAuthenticationStrategy implementations do not reject a bind request where a non-empty username is paired with an empty or null password.
Affected versions:
Spring LDAP 2.4.0 through 2.4.4; 3.2.0 through 3.2.17; 3.3.0 through 3.3.7; 4.0.0 through 4.0.3.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Spring | Spring LDAP |
Version: 2.4.0 < 2.4.5 Version: 3.2.0 < 3.2.18 Version: 3.3.0 < 3.3.8 Version: 4.0.0 < 4.0.4 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41720",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T03:58:34.141Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring LDAP",
"vendor": "Spring",
"versions": [
{
"lessThan": "2.4.5",
"status": "affected",
"version": "2.4.0",
"versionType": "custom"
},
{
"lessThan": "3.2.18",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
},
{
"lessThan": "3.3.8",
"status": "affected",
"version": "3.3.0",
"versionType": "custom"
},
{
"lessThan": "4.0.4",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Spring LDAP\u0027s DirContextAuthenticationStrategy implementations do not reject a bind request where a non-empty username is paired with an empty or null password.\n\nAffected versions:\nSpring LDAP 2.4.0 through 2.4.4; 3.2.0 through 3.2.17; 3.3.0 through 3.3.7; 4.0.0 through 4.0.3."
}
],
"value": "Spring LDAP\u0027s DirContextAuthenticationStrategy implementations do not reject a bind request where a non-empty username is paired with an empty or null password.\n\nAffected versions:\nSpring LDAP 2.4.0 through 2.4.4; 3.2.0 through 3.2.17; 3.3.0 through 3.3.7; 4.0.0 through 4.0.3."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An attacker with a valid username and an empty password can bypass password verification on LDAP servers that permit unauthenticated binds, gaining unauthorized access."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T03:48:56.229Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-41720"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authentication Bypass with Empty Password in Spring LDAP",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-41720",
"datePublished": "2026-06-09T03:48:56.229Z",
"dateReserved": "2026-04-22T06:21:37.021Z",
"dateUpdated": "2026-06-10T03:58:34.141Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-38829 (GCVE-0-2024-38829)
Vulnerability from cvelistv5
Published
2024-12-04 21:06
Modified
2024-12-10 14:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A vulnerability in Spring LDAP allows data exposure for case sensitive comparisons.This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0.
The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried
Related to CVE-2024-38820 https://spring.io/security/cve-2024-38820
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Spring | Spring LDAP |
Version: 2.4.0 Version: 3.0.0 Version: 3.1.0 Version: 3.2.0 Version: 0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-38829",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-05T17:10:00.599129Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T17:10:15.259Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring LDAP",
"vendor": "Spring",
"versions": [
{
"lessThanOrEqual": "2.4.3",
"status": "affected",
"version": "2.4.0",
"versionType": "Spring LDAP"
},
{
"lessThanOrEqual": "3.0.9",
"status": "affected",
"version": "3.0.0",
"versionType": "Spring LDAP"
},
{
"lessThanOrEqual": "3.1.7",
"status": "affected",
"version": "3.1.0",
"versionType": "Spring LDAP"
},
{
"lessThanOrEqual": "3.2.7",
"status": "affected",
"version": "3.2.0",
"versionType": "Spring LDAP"
},
{
"lessThanOrEqual": "2.4.0",
"status": "affected",
"version": "0",
"versionType": "Spring LDAP"
}
]
}
],
"datePublic": "2024-11-19T21:04:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability in Spring LDAP allows data exposure for case sensitive comparisons.\u003cp\u003eThis issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0.\u003c/p\u003eThe usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried\u003cbr\u003e\u003cp\u003eRelated to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://spring.io/security/cve-2024-38820\"\u003eCVE-2024-38820\u003c/a\u003e\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A vulnerability in Spring LDAP allows data exposure for case sensitive comparisons.This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0.\n\nThe usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried\nRelated to CVE-2024-38820 https://spring.io/security/cve-2024-38820"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "CAPEC-NOINFO"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-178",
"description": "CWE-178",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-10T14:33:55.692Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://spring.io/security/cve-2024-38829"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Spring LDAP sensitive data exposure for case-sensitive comparisons",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2024-38829",
"datePublished": "2024-12-04T21:06:05.021Z",
"dateReserved": "2024-06-19T22:32:07.790Z",
"dateUpdated": "2024-12-10T14:33:55.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}