DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of login requests.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2012-12-05T17:00:00Z
Updated: 2024-09-16T23:11:00.174Z
Reserved: 2012-09-21T00:00:00Z
Link: CVE-2012-5055
Vulnrichment
No data.
NVD
Status : Modified
Published: 2012-12-05T17:55:01.663
Modified: 2024-11-21T01:43:56.507
Link: CVE-2012-5055
Redhat