Name of the Vulnerable Software and Affected Versions PersistedUsernamePasswordProvider (affected versions not specified)

Description The issue concerns a timing attack that could disclose the existence of accounts based on the hashing of passwords. This occurred because password hashing was only performed when an account was found. The core has been modified so that the provider always performs a password comparison when credentials are submitted.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.