Description

DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of login requests.

Remediation

References

http://support.springsource.com/security/CVE-2012-5055

Related Vulnerabilities

CVE-2022-26612 Vulnerability in maven package org.apache.hadoop:hadoop-common

CVE-2022-25204 Vulnerability in maven package by.dev.madhead.doktor:doktor

CVE-2022-36899 Vulnerability in maven package com.compuware.jenkins:compuware-ispw-operations

CVE-2018-8006 Vulnerability in maven package org.apache.activemq:activemq-web-console

CVE-2020-16017 Vulnerability in npm package electron

Severity

Critical

Classification

CWE-200

Tags

Vendor Advisory