Description

DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of login requests.

Remediation

References

http://support.springsource.com/security/CVE-2012-5055

Related Vulnerabilities

CVE-2018-1000056 Vulnerability in maven package org.jenkins-ci.plugins:junit

CVE-2019-10423 Vulnerability in maven package com.villagechief.codescan.jenkins:codescan

CVE-2023-33201 Vulnerability in maven package org.bouncycastle:bcprov-debug-jdk18on

CVE-2022-24897 Vulnerability in maven package org.xwiki.commons:xwiki-commons-velocity

CVE-2014-2858 Vulnerability in maven package org.grails:grails-resources

Severity

Critical

Classification

CWE-200

Tags

Vendor Advisory