Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProviders timing attack defense can be bypassed for users who are disabled, expired, or locked.This issue affects Spring Security: from 5.7.0 through 5.7.22, from 5.8.0 through 5.8.24, from 6.3.0 through 6.3.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.
Weakness
Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Spring_security | Vmware | * | 5.7.23 (excluding) |
| Spring_security | Vmware | 5.8.0 (including) | 5.8.25 (excluding) |
| Spring_security | Vmware | 6.3.0 (including) | 6.3.16 (excluding) |
| Spring_security | Vmware | 6.4.0 (including) | 6.4.16 (excluding) |
| Spring_security | Vmware | 6.5.0 (including) | 6.5.10 (excluding) |
| Spring_security | Vmware | 7.0.0 (including) | 7.0.5 (excluding) |
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/462.html
- https://cwe.mitre.org/data/definitions/541.html
- https://cwe.mitre.org/data/definitions/580.html