The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.
[
{
"product": "Spring Security",
"vendor": "Pivotal",
"versions": [
{
"status": "affected",
"version": "3.2.0 to 3.2.1"
},
{
"status": "affected",
"version": "3.1.0 to 3.1.5"
}
]
}
]