3.7
CVE-2026-22746
- EPSS 0.05%
- Veröffentlicht 22.04.2026 05:02:24
- Zuletzt bearbeitet 24.04.2026 14:20:02
- Quelle security@vmware.com
- CVE-Watchlists
- Unerledigt
LoginUser Attribute Enumeration when Using DaoAuthenticationProvider
Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, or locked.This issue affects Spring Security: from 5.7.0 through 5.7.22, from 5.8.0 through 5.8.24, from 6.3.0 through 6.3.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
VMware ≫ Spring Security Version < 5.7.23
VMware ≫ Spring Security Version >= 5.8.0 < 5.8.25
VMware ≫ Spring Security Version >= 6.3.0 < 6.3.16
VMware ≫ Spring Security Version >= 6.4.0 < 6.4.16
VMware ≫ Spring Security Version >= 6.5.0 < 6.5.10
VMware ≫ Spring Security Version >= 7.0.0 < 7.0.5
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.05% | 0.167 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@vmware.com | 3.7 | 2.2 | 1.4 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
|
CWE-208 Observable Timing Discrepancy
Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.