Description
DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of login requests.
Remediation
References
http://support.springsource.com/security/CVE-2012-5055
Related Vulnerabilities
CVE-2021-20334 Vulnerability in npm package mongodb-js-metrics
CVE-2022-3782 Vulnerability in maven package org.keycloak:keycloak-services
CVE-2020-27826 Vulnerability in maven package org.keycloak:keycloak-core
CVE-2021-22160 Vulnerability in maven package org.apache.pulsar:pulsar-broker-common
CVE-2016-3726 Vulnerability in maven package org.jenkins-ci.main:jenkins-core