Spring LDAP's DirContextAuthenticationStrategy implementations fail to properly validate authentication attempts by accepting bind requests with a non-empty username and an empty or null password. This improper authentication (CWE-287) affects versions 2.4.0 through 2.4.4, 3.2.0 through 3.2.17, 3.3.0 through 3.3.7, and 4.0.0 through 4.0.3. The CVSS 3.1 base score is 7.4, indicating a high severity vulnerability with network attack vector, high complexity, no privileges required, no user interaction, and impacts confidentiality and integrity but not availability. No patch or official remediation level has been disclosed by the vendor as of the publication date.

Successful exploitation could allow an attacker to bypass authentication controls by submitting a bind request with a valid username but no password, potentially leading to unauthorized access and compromise of confidentiality and integrity of the LDAP service. Availability is not impacted. There are no known exploits in the wild currently.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider additional access controls or monitoring around LDAP authentication attempts to detect anomalous bind requests with empty passwords. Avoid deploying affected versions in sensitive environments without compensating controls.