Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Spring

Spring Security

Affected Versions:

4.2

References

https://pivotal.io/security/cve-2019-11272

https://lists.debian.org/debian-lts-announce/2019/07/msg00008.html

Published: 2019-06-26T14:06:15.312137Z

Last Modified: 2024-09-16T19:25:59.208Z

Copied to clipboard!