Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zNTMzLXJ2cGMtNng1Ns4AAfYQ
Exposure of Sensitive Information to an Unauthorized Actor in Spring Security
DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of login requests.
Permalink: https://github.com/advisories/GHSA-3533-rvpc-6x56JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zNTMzLXJ2cGMtNng1Ns4AAfYQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
Identifiers: GHSA-3533-rvpc-6x56, CVE-2012-5055
References:
- https://nvd.nist.gov/vuln/detail/CVE-2012-5055
- http://support.springsource.com/security/CVE-2012-5055
- https://github.com/advisories/GHSA-3533-rvpc-6x56
Affected Packages
maven:org.springframework.security:spring-security-core
Dependent packages: 1,940Dependent repositories: 44,289
Downloads:
Affected Version Ranges: >= 3.1.0, < 3.1.3, >= 3.0.0, < 3.0.8, < 2.0.8
Fixed in: 3.1.3, 3.0.8, 2.0.8
All affected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4
All unaffected versions: 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.4.5, 5.4.6, 5.4.7, 5.4.8, 5.4.9, 5.4.10, 5.4.11, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 5.5.6, 5.5.7, 5.5.8, 5.6.0, 5.6.1, 5.6.2, 5.6.3, 5.6.4, 5.6.5, 5.6.6, 5.6.7, 5.6.8, 5.6.9, 5.6.10, 5.6.11, 5.6.12, 5.7.0, 5.7.1, 5.7.2, 5.7.3, 5.7.4, 5.7.5, 5.7.6, 5.7.7, 5.7.8, 5.7.9, 5.7.10, 5.7.11, 5.7.12, 5.8.0, 5.8.1, 5.8.2, 5.8.3, 5.8.4, 5.8.5, 5.8.6, 5.8.7, 5.8.8, 5.8.9, 5.8.10, 5.8.11, 5.8.12, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4