CVE-2012-5055 – Security: Ability to determine if username is valid via DaoAuthenticationProvider

https://notcve.org/view.php?id=CVE-2012-5055

05 Dec 2012 — DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of login requests. DaoAuthenticationProvider en VMware SpringSource Spring Security antes de v2.0.8, v3.0.x antes de v3.0.8, y v3.1.x antes de v3.1.3 no comprueba la contraseña si el usuario no se encuentra, lo que hace qu... • http://support.springsource.com/security/CVE-2012-5055 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •