Description

DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of login requests.

Remediation

References

http://support.springsource.com/security/CVE-2012-5055

Related Vulnerabilities

CVE-2014-0230 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2022-23710 Vulnerability in maven package org.elasticsearch:elasticsearch

CVE-2022-34812 Vulnerability in maven package org.jenkins-ci.plugins:xpath-config-viewer

CVE-2021-21686 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2022-35912 Vulnerability in maven package org.grails:grails-databinding

Severity

Critical

Classification

CWE-200

Tags

Vendor Advisory