CVSS: 5.6EPSS: 0%CPEs: 13EXPL: 0CVE-2011-2731
https://notcve.org/view.php?id=CVE-2011-2731
05 Dec 2012 — Race condition in the RunAsManager mechanism in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 stores the Authentication object in the shared security context, which allows attackers to gain privileges via a crafted thread. Condición de carrera en el mecanismo RunAsManager en Mware SpringSource Spring Security antes de v2.0.7 y v3.0.x antes de v3.0.6 almacena el objeto Authentication en el contexto de seguridad compartida, lo que permite a atacantes remotos ganar privilegios a travé... • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677814 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 4.3EPSS: 6%CPEs: 13EXPL: 1CVE-2011-2732 – Spring Security - HTTP Header Injection
https://notcve.org/view.php?id=CVE-2011-2732
05 Dec 2012 — CRLF injection vulnerability in the logout functionality in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the spring-security-redirect parameter. Vulnerabilidad de inyección de secuencias CRLF en la funcionalidad de logout en VMware SpringSource Spring Security antes de v2.0.7 y v3.0.x antes de v3.0.6 permite a atacantes remotos inyectar cabeceras HTTP de su elección y llevar a ... • https://www.exploit-db.com/exploits/36130 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 0%CPEs: 15EXPL: 0CVE-2012-5055 – Security: Ability to determine if username is valid via DaoAuthenticationProvider
https://notcve.org/view.php?id=CVE-2012-5055
05 Dec 2012 — DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of login requests. DaoAuthenticationProvider en VMware SpringSource Spring Security antes de v2.0.8, v3.0.x antes de v3.0.8, y v3.1.x antes de v3.1.3 no comprueba la contraseña si el usuario no se encuentra, lo que hace qu... • http://support.springsource.com/security/CVE-2012-5055 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 20EXPL: 0CVE-2010-3700
https://notcve.org/view.php?id=CVE-2010-3700
29 Oct 2010 — VMware SpringSource Spring Security 2.x before 2.0.6 and 3.x before 3.0.4, and Acegi Security 1.0.0 through 1.0.7, as used in IBM WebSphere Application Server (WAS) 6.1 and 7.0, allows remote attackers to bypass security constraints via a path parameter. VMware SpringSource Spring Security v2.x anterior a v2.0.6 y v3.x anterior a v3.0.4, y Acegi Security v1.0.0 hasta v1.0.7, como el usado en IBM WebSphere Application Server (WAS) v6.1 y v7.0, permite a los atacantes remotos evitar las restricciones de segur... • http://osvdb.org/68931 • CWE-264: Permissions, Privileges, and Access Controls •