CVE-2019-11272
N/A
N/A
Summary
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Spring | Spring Security | 4.2 < 4.2.13.RELEASE | affected |
Weaknesses
- CWE-287: CWE-287: Improper Authentication - Generic
ADP Enrichment
CVE Program Container
Additional References
- https://pivotal.io/security/cve-2019-11272
- https://lists.debian.org/debian-lts-announce/2019/07/msg00008.html
References
- https://pivotal.io/security/cve-2019-11272
- https://lists.debian.org/debian-lts-announce/2019/07/msg00008.html
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.