Description

DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of login requests.

Remediation

References

http://support.springsource.com/security/CVE-2012-5055

Related Vulnerabilities

CVE-2011-4838 Vulnerability in maven package org.jruby:jruby

CVE-2019-10062 Vulnerability in npm package aurelia-framework

CVE-2020-2111 Vulnerability in maven package org.jenkins-ci.plugins:subversion

CVE-2020-2167 Vulnerability in maven package com.openshift.jenkins:openshift-pipeline

CVE-2020-35216 Vulnerability in maven package io.atomix:atomix

Severity

Critical

Classification

CWE-200

Tags

Vendor Advisory