























If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, or locked.
Spring Security:
Users of affected versions should upgrade to the corresponding fixed version.
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 5.7.x | 5.7.23 | Enterprise Support Only |
| 5.8.x | 5.8.25 | Enterprise Support Only |
| 6.3.x | 6.3.16 | Enterprise Support Only |
| 6.4.x | 6.4.16 | Enterprise Support Only |
| 6.5.x | 6.5.10 | OSS |
| 7.0.x | 7.0.5 | OSS |
Note that this version also introduces a setter DaoAuthenticationProvider#setAlwaysPerformAdditionalChecksOnUser.
In the event that this upgrade causes you trouble, you can set this value to false.
The issue was identified and responsibly reported by meverden.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。