VULNERABILITIES / FIXES - December 10, 2012
by Carol~ - 12/10/12 9:15 AM
Spring Security DaoAuthenticationProvider Username Enumeration Weakness
Release Date : 2012-12-10
Criticality level: Not critical
Impact : Exposure of sensitive information
Where : From remote
Solution Status : Vendor Patch
Software: Spring Security 2.x
Spring Security 3.x
A weakness has been reported in Spring Security, which can be exploited by malicious people to determine valid usernames.
The weakness is caused due to the DaoAuthenticationProvider component displaying messages at different speeds depending on whether an unsuccessful login attempt is performed with a valid or invalid username.
The weakness is reported in versions 3.1.0 through 3.1.2, 3.0.0 through 3.0.7, and 2.0.0 through 2.0.7.
Update to versions 3.1.3, 3.0.8, or 2.0.8.
Provided and/or discovered by:
The vendor credits Nicholas Goodwin.