CVE-2025-22234 Spring Security - BCrypt Password Encoder maximum password length breaks timing attack mitigation

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations...

CVE-2023-32699

MeterSphere is an open source continuous testing platform. Version 2.9.1 and prior are vulnerable to denial of service. ​The checkUserPassword method is used to check whether the password provided by the user matches the password saved in the database, and the CodingUtil.md5 method is used to...

spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length

A flaw was found in the spring-security-core password encoder. This vulnerability allows incorrect password matching via input manipulation...

GHSA-MP5P-G2JV-R8QW rdiffweb contains Weak Password Requirements

rdiffweb version 2.4.1 has no password policy or password checking, which could make users vulnerable to brute force password guessing attacks. Version 2.4.2 enforces minimum and maximum password lengths...

PT-2022-20934 · Rdiffweb · Rdiffweb

Name of the Vulnerable Software and Affected Versions: rdiffweb versions prior to 2.4.2 Description: The issue is related to weak password requirements. Specifically, versions prior to 2.4.2 have no password policy or password checking, making users vulnerable to brute force password guessing...

Default credentials

Dahua DVR appliances have a small value for the maximum password length, which makes it easier for remote attackers to obtain access via a brute-force attack...