VulnerableCode Package Details - pkg:maven/org.springframework.security/spring-security-core@3.2.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-8jtc-ehgu-x3c5 Aliases: CVE-2014-3527 GHSA-wmv4-5w76-vp9g	When using the CAS Proxy ticket authentication from Spring Security 3.1 to 3.2.4 a malicious CAS Service could trick another CAS Service into authenticating a proxy ticket that was not associated. This is due to the fact that the proxy ticket authentication uses the information from the HttpServletRequest which is populated based upon untrusted information within the HTTP request. This means if there are access control restrictions on which CAS services can authenticate to one another, those restrictions can be bypassed. If users are not using CAS Proxy tickets and not basing access control decisions based upon the CAS Service, then there is no impact to users.	3.2.5 Affected by 0 other vulnerabilities. 3.2.5.RELEASE Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-kqpg-9cqw-nuen Aliases: CVE-2014-0097 GHSA-gv9v-c375-hvmg	The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.	3.2.2.RELEASE Affected by 7 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-8jtc-ehgu-x3c5
Aliases:
CVE-2014-3527
GHSA-wmv4-5w76-vp9g

When using the CAS Proxy ticket authentication from Spring Security 3.1 to 3.2.4 a malicious CAS Service could trick another CAS Service into authenticating a proxy ticket that was not associated. This is due to the fact that the proxy ticket authentication uses the information from the HttpServletRequest which is populated based upon untrusted information within the HTTP request. This means if there are access control restrictions on which CAS services can authenticate to one another, those restrictions can be bypassed. If users are not using CAS Proxy tickets and not basing access control decisions based upon the CAS Service, then there is no impact to users.

3.2.5
Affected by 0 other vulnerabilities.

3.2.5.RELEASE
Affected by 6 other vulnerabilities.

VCID-kqpg-9cqw-nuen
Aliases:
CVE-2014-0097
GHSA-gv9v-c375-hvmg

The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.

3.2.2.RELEASE
Affected by 7 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-02T12:37:20.404901+00:00	GitLab Importer	Affected by	VCID-8jtc-ehgu-x3c5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2014-3527.yml	38.0.0
2026-04-01T16:00:48.336100+00:00	GHSA Importer	Affected by	VCID-kqpg-9cqw-nuen	https://github.com/advisories/GHSA-gv9v-c375-hvmg	38.0.0
2026-04-01T15:58:43.478462+00:00	GHSA Importer	Affected by	VCID-8jtc-ehgu-x3c5	https://github.com/advisories/GHSA-wmv4-5w76-vp9g	38.0.0