This vulnerability in Spring Security involves a bypass of the DaoAuthenticationProvider's timing attack defense mechanism when applications rely on specific UserDetails attributes (isEnabled, isAccountNonExpired, isAccountNonLocked) to control user access states such as enabled, expired, or locked. The affected versions span multiple major releases from 5.7.0 to 7.0.4. The bypass could allow an attacker to infer user states through timing differences, classified under CWE-208 (Information Exposure Through Timing Discrepancy). The CVSS 3.1 base score is 3.7 (low), reflecting limited impact primarily related to information disclosure. No official remediation or patch is currently documented.

The vulnerability allows bypassing timing attack defenses in the authentication process, potentially exposing information about user account states (enabled, expired, locked). This could aid an attacker in user enumeration or reconnaissance but does not directly impact confidentiality, integrity, or availability beyond limited information disclosure. There are no known exploits in the wild, and the overall impact is considered low severity.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, review application use of UserDetails attributes for user state management and consider additional protective measures against timing attacks. Avoid relying solely on these attributes for critical access control decisions. Monitor official Spring Security advisories for updates and patches.