Description

DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of login requests.

Remediation

References

http://support.springsource.com/security/CVE-2012-5055

Related Vulnerabilities

CVE-2012-2379 Vulnerability in maven package org.apache.cxf:cxf-bundle-minimal

CVE-2017-5643 Vulnerability in maven package org.apache.camel:camel-core

CVE-2020-13942 Vulnerability in maven package org.apache.unomi:unomi-common

CVE-2021-4178 Vulnerability in maven package io.fabric8:kubernetes-client

CVE-2022-34212 Vulnerability in maven package org.jenkins-ci.plugins:vmware-vrealize-orchestrator

Severity

Critical

Classification

CWE-200

Tags

Vendor Advisory