Cisco Bug: CSCul88655 - Spring Security Web Framework on UCM Vulnerable to Info Disclosure Vul

Last Modified

Nov 19, 2020

Products (1)

Cisco Unified Communications Manager (CallManager)

Known Affected Releases

10.0(1.10000.26)

Description (partial)

Symptom:
Cisco Unified Communications Manager (CallManager) includes a version
of VMware SpringSource Spring Security framework that is affected by
the vulnerabilities identified by the following Common Vulnerability
and Exposures (CVE) ID:

CVE-2012-5055: DaoAuthenticationProvider in VMware SpringSource Spring
Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does
not check the password if the user is not found, which makes the
response delay shorter and might allow remote attackers to enumerate
valid usernames via a series of login requests.  This was classified
by the vendor as having a CVSS v2 Base Score of 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)

This bug was opened to address the potential impact on this product.

Conditions:
Cisco Unified Communications Manager (CallManager) running affected
versions of the Spring Security framework.

View Bug Details in Bug Search Tool Login Required

Why Is Login Required?

Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

Full Description (including symptoms, conditions and workarounds)
Status
Severity
Known Fixed Releases
Related Community Discussions
Number of Related Support Cases

Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.

Learn More About Cisco Service Contracts