Guest

Preview Tool

Cisco Bug: CSCul88655 - Spring Security Web Framework on UCM Vulnerable to Info Disclosure Vul

Last Modified

Jun 25, 2020

Products (1)

  • Cisco Unified Communications Manager (CallManager)

Known Affected Releases

10.0(1.10000.26)

Description (partial)

Symptom:
Cisco Unified Communications Manager (CallManager) includes a version
of VMware SpringSource Spring Security framework that is affected by
the vulnerabilities identified by the following Common Vulnerability
and Exposures (CVE) ID:

CVE-2012-5055: DaoAuthenticationProvider in VMware SpringSource Spring
Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does
not check the password if the user is not found, which makes the
response delay shorter and might allow remote attackers to enumerate
valid usernames via a series of login requests.  This was classified
by the vendor as having a CVSS v2 Base Score of 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)

This bug was opened to address the potential impact on this product.

Conditions:
Cisco Unified Communications Manager (CallManager) running affected
versions of the Spring Security framework.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.