CVE-2019-11272

Summary

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".

Affected Software

VendorProductVersion RangeStatus
SpringSpring Security4.2 < 4.2.13.RELEASEaffected

Weaknesses

  • CWE-287: CWE-287: Improper Authentication - Generic

ADP Enrichment

CVE Program Container

Additional References

References