Lucene search
K

10 matches found

Veracode
Veracode
added 2026/04/30 7:50 a.m.9 views

Sensitive Information Disclosure

Spring Security is vulnerable to Sensitive Information Disclosure. The vulnerability is due to bypass of timing attack protections in DaoAuthenticationProvider when handling disabled, expired, or locked user states, which allows an attacker to infer user account status through response timing...

3.7CVSS5.2AI score0.00215EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/04/22 6:30 a.m.4 views

GHSA-VXF7-QJ7Q-83FH Spring Security Vulnerable to User Attribute Enumeration when Using DaoAuthenticationProvider

Vulnerability in Spring Spring Security. If an application is using the UserDetailsisEnabled, isAccountNonExpired, or isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, o...

3.7CVSS5.8AI score0.00215EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/04/22 5:2 a.m.30 views

CVE-2026-22746 User Attribute Enumeration when Using DaoAuthenticationProvider

Vulnerability in Spring Spring Security. If an application is using the UserDetailsisEnabled, isAccountNonExpired, or isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, o...

3.7CVSS0.00215EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/22 5:2 a.m.11 views

CVE-2026-22746 User Attribute Enumeration when Using DaoAuthenticationProvider

Vulnerability in Spring Spring Security. If an application is using the UserDetailsisEnabled, isAccountNonExpired, or isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, o...

3.7CVSS5.7AI score0.00215EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/27 7:33 p.m.7 views

CVE-2025-22234

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations. Mitigation Mitigation for thi...

7.4CVSS5.8AI score0.00568EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/01/22 9:33 p.m.17 views

Spring Security has a broken timing attack mitigation implemented in DaoAuthenticationProvide

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations...

7.4CVSS5.5AI score0.00568EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/01/22 9:2 p.m.31 views

CVE-2025-22234 Spring Security - BCrypt Password Encoder maximum password length breaks timing attack mitigation

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations...

5.3CVSS0.00402EPSS
Exploits0References1
EUVD
EUVD
added 2026/01/22 9:2 p.m.4 views

EUVD-2026-3787

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations...

7.4CVSS5.5AI score0.00568EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/01/22 9:2 p.m.9 views

CVE-2025-22234 Spring Security - BCrypt Password Encoder maximum password length breaks timing attack mitigation

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations...

5.3CVSS5.5AI score0.00402EPSS
Exploits0References1
Snyk
Snyk
added 2025/04/22 12:0 a.m.8 views

Timing Attack

Overview org.springframework.security:spring-security-crypto is a spring-security-crypto library for Spring Security. Affected versions of this package are vulnerable to Timing Attack due to an unintentional bypass for DaoAuthenticationProvider constant time controls, which was caused by the fix...

7.4CVSS7.1AI score0.00568EPSS
Exploits0References2
Rows per page
Query Builder