Home

CVE-2012-5055

Description

DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of login requests.

Risk Information

Base Score
8.6
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C
EPSS Score
Exploitation Probability
0.361

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2012-5055 are fixed in Spring-security-core 2.0.8Windows
Vulnerabilities CVE-2012-5055 are fixed in Spring-security-core 3.0.8Windows
Vulnerabilities CVE-2012-5055 are fixed in Spring-security-core 3.1.3Windows
Vulnerabilities CVE-2012-5055 are fixed in Spring-security-core for Linux 2.0.8Linux
Vulnerabilities CVE-2012-5055 are fixed in Spring-security-core for Linux 3.0.8Linux
Vulnerabilities CVE-2012-5055 are fixed in Spring-security-core for Linux 3.1.3Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234