CVE-2019-11272

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".

Published: Jun 26, 2019
Updated: May 9, 2024
CVE: CVE-2019-11272
GHSA: GHSA-v33x-prhc-gph5
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.3
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-287
CWE-522

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
vmware / spring_security	4.2.0	4.2.12.x
debian / debian_linux	8.0	8.0.x
org.springframework.security / spring-security-core	-	4.2.13
org.springframework.security / spring-security-cas	-	4.2.13.RELEASE

https://lists.debian.org/debian-lts-announce/2019/07/msg00008.html
https://pivotal.io/security/cve-2019-11272

Vulnerability Database

289,697

CVE-2019-11272