Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of ?null?.

Affected Packages

Maven org.springframework.security:spring-security-core

Affected versions: 0 (fixed in 4.2.13)

Maven org.springframework.security:spring-security-cas

Affected versions: 0 (fixed in 4.2.13.RELEASE)

Related CVEs

CVE-2019-11272

Key Information

GHSA ID

GHSA-v33x-prhc-gph5

Published

June 27, 2019 5:24 PM

Last Modified

June 9, 2021 8:12 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

org.springframework.security:spring-security-core

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 19, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.