By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2012-5055

Authorization Bypass
Affects
Spring Security
<2.0.9, >=3.0.0, <3.0.9, >=3.1.0, <3.1.4
in
Spring
No items found.
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Spring Security is a comprehensive Java security framework for securing enterprise-level applications. It provides a powerful, flexible programming model that simplifies the development of secure applications by allowing you to manage authentication, authorization, and other security concerns with ease. Spring Security integrates seamlessly with the Spring Framework, offering robust tools for configuring access controls, managing user roles, and protecting resources, all while allowing Java to be your primary language for application development.

Authentication Bypass vulnerability (CVE-2012-5055) found in VMware SpringSource’s DaoAuthenticationProvider component. The issue arises because the component does not properly check the password when the user is not found during the authentication process. This flaw allows an attacker to submit arbitrary usernames without triggering the usual password validation checks.

Per StrongDM: An Authentication Bypass Vulnerability is a flaw in the user authentication mechanism that allows an attacker to bypass or circumvent the authentication process. By exploiting this weakness, the attacker gains unauthorized access to an application, service, or device. Once an intrusion is successfully executed, the attacker can steal sensitive information, install malicious software, or carry out malicious actions.

This issue affects multiple versions 

Details

Module Info

Vulnerability Info

The DaoAuthenticationProvider is an AuthenticationProvider implementation that uses a UserDetailsService and PasswordEncoder to authenticate a username and password. The vulnerability arises from the fact that the DaoAuthenticationProvider did not handle specific edge cases properly during authentication. This flaw could be exploited by an attacker to bypass authentication and gain unauthorized access to an application. 

Credit

  • The issue was discovered by Nicholas Goodwin.

Mitigation

Users of the affected components should apply one of the following mitigations:

  • All users may upgrade to Spring Security 3.1.3+, 3.0.8+, or 2.0.8+
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2012-5055
PROJECT Affected
Spring Security
Versions Affected
<2.0.9, >=3.0.0, <3.0.9, >=3.1.0, <3.1.4
Published date
December 12, 2012
≈ Fix date
December 12, 2012
Fixed in
NES for Spring
Severity
Medium
Category
Authorization Bypass
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.