CVE-2012-5055

CWE-200 — Information Exposure6 documents6 sources

Severity

5.0MEDIUM

EPSS

0.4%

top 41.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Springsource Spring Security

Timeline

PublishedDec 5

Latest updateMay 17

Description

DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of login requests.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶NVDvmware/springsource_spring_security2.0.6+14

▶Mavenorg.springframework.security:spring-security-core3.0.0 — 3.0.8+2

🔴Vulnerability Details

GHSA

Exposure of Sensitive Information to an Unauthorized Actor in Spring Security↗2022-05-17

▶

OSV

Exposure of Sensitive Information to an Unauthorized Actor in Spring Security↗2022-05-17

▶

CVEList

CVE-2012-5055: DaoAuthenticationProvider in VMware SpringSource Spring Security before 2↗2012-12-05

▶

📋Vendor Advisories

Red Hat

Security: Ability to determine if username is valid via DaoAuthenticationProvider↗2012-10-09

▶

💬Community

Bugzilla

CVE-2012-5055 Spring Security: Ability to determine if username is valid via DaoAuthenticationProvider↗2012-12-11

▶