CVE-2012-5055: Infoleak
First published: Wed Dec 05 2012(Updated: )
DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of login requests.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| VMware Spring Security | <=2.0.6 | |
| VMware Spring Security | =2.0.0 | |
| VMware Spring Security | =2.0.1 | |
| VMware Spring Security | =2.0.2 | |
| VMware Spring Security | =2.0.3 | |
| VMware Spring Security | =2.0.4 | |
| VMware Spring Security | =2.0.5 | |
| VMware Spring Security | =3.0.0 | |
| VMware Spring Security | =3.0.1 | |
| VMware Spring Security | =3.0.2 | |
| VMware Spring Security | =3.0.3 | |
| VMware Spring Security | =3.0.4 | |
| VMware Spring Security | =3.0.5 | |
| VMware Spring Security | =3.1.1 | |
| VMware Spring Security | =3.1.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2012-5055?
CVE-2012-5055 is considered a vulnerability that could allow information disclosure through username enumeration.
How do I fix CVE-2012-5055?
To fix CVE-2012-5055, upgrade VMware SpringSource Spring Security to version 2.0.8, 3.0.8, or 3.1.3 and later.
What versions of Spring Security are affected by CVE-2012-5055?
CVE-2012-5055 affects versions of VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3.
What are the potential consequences of CVE-2012-5055?
The potential consequences of CVE-2012-5055 include an increased risk of unauthorized access due to username enumeration.
Is there a workaround for CVE-2012-5055?
There are no official workarounds for CVE-2012-5055; the recommended action is to update to a patched version.
- agent/weakness
- agent/severity
- agent/references
- agent/author
- agent/type
- agent/event
- agent/description
- agent/first-publish-date
- agent/softwarecombine
- agent/last-modified-date
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/vmware
- canonical/vmware spring security
- version/vmware spring security/2.0.6
- version/vmware spring security/2.0.0
- version/vmware spring security/2.0.1
- version/vmware spring security/2.0.2
- version/vmware spring security/2.0.3
- version/vmware spring security/2.0.4
- version/vmware spring security/2.0.5
- version/vmware spring security/3.0.0
- version/vmware spring security/3.0.1
- version/vmware spring security/3.0.2
- version/vmware spring security/3.0.3
- version/vmware spring security/3.0.4
- version/vmware spring security/3.0.5
- version/vmware spring security/3.1.1
- version/vmware spring security/3.1.2