Cisco Bug: CSCul88655 - Spring Security Web Framework on UCM Vulnerable to Info Disclosure Vul
Nov 19, 2020
- Cisco Unified Communications Manager (CallManager)
Known Affected Releases
Symptom: Cisco Unified Communications Manager (CallManager) includes a version of VMware SpringSource Spring Security framework that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) ID: CVE-2012-5055: DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of login requests. This was classified by the vendor as having a CVSS v2 Base Score of 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) This bug was opened to address the potential impact on this product. Conditions: Cisco Unified Communications Manager (CallManager) running affected versions of the Spring Security framework.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases