Name of the Vulnerable Software and Affected Versions:

versions prior to the patched version

Description:

The attacker can validate if a user exists by checking the time login returns. This timing difference can be used to enumerate valid usernames, after which an attacker could attempt brute force attacks. The issue was caused by different response times when a valid username was provided (password hashing occurred) and when an invalid username was provided (no password hashing occurred). The fix introduces a TimingSafeFormLoginAuthenticator that performs a dummy password hash verification even for non-existent users, ensuring consistent timing.

Recommendations:

Upgrade to the patched version.