CVE-2012-5055

VMware Spring Security Username Enumeration via Login Timing

Title source: llm
STIX 2.1

Description

DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of login requests.

References (1)

Core 1
Core References
Vendor Advisory x_refsource_confirm
http://support.springsource.com/security/CVE-2012-5055

Scores

EPSS 0.0036
EPSS Percentile 58.2%

Details

CWE
CWE-200
Status published
Products (16)
org.springframework.security/spring-security-core 0 - 2.0.8Maven
vmware/springsource_spring_security 2.0.0
vmware/springsource_spring_security 2.0.1
vmware/springsource_spring_security 2.0.2
vmware/springsource_spring_security 2.0.3
vmware/springsource_spring_security 2.0.4
vmware/springsource_spring_security 2.0.5
vmware/springsource_spring_security 3.0.0
vmware/springsource_spring_security 3.0.1
vmware/springsource_spring_security 3.0.2
... and 6 more
Published Dec 05, 2012
Tracked Since Feb 18, 2026