Description

DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of login requests.

Remediation

References

http://support.springsource.com/security/CVE-2012-5055

Related Vulnerabilities

CVE-2022-34182 Vulnerability in maven package org.jenkins-ci.plugins:nested-view

CVE-2021-21380 Vulnerability in maven package org.xwiki.platform:xwiki-platform-ratings-api

CVE-2022-34799 Vulnerability in maven package org.jenkins-ci.plugins:ec2-deployment-dashboard

CVE-2014-3623 Vulnerability in maven package org.apache.cxf:cxf-rt-ws-security

CVE-2023-2422 Vulnerability in maven package org.keycloak:keycloak-services

Severity

Critical

Classification

CWE-200

Tags

Vendor Advisory