CVE-2019-11272

CWE-287 — Improper Authentication CWE-522 — Insufficiently Protected Credentials CWE-3056 documents6 sources

Severity

7.3HIGH

EPSS

0.4%

top 38.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Spring Spring Security Vmware Spring Security Debian Debian Linux

Timeline

PublishedJun 26

Latest updateJul 11

Description

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 3.9 | Impact: 3.4

Affected Packages4 packages

▶CVEListV5spring/spring_security4.2 — 4.2.13.RELEASE

▶NVDvmware/spring_security< 4.2.13

▶Mavenorg.springframework.security:spring-security-cas< 4.2.13.RELEASE

▶Mavenorg.springframework.security:spring-security-core< 4.2.13

Also affects: Debian Linux 8.0

🔴Vulnerability Details

OSV

Insufficiently Protected Credentials and Improper Authentication in Spring Security↗2019-06-27

▶

GHSA

Insufficiently Protected Credentials and Improper Authentication in Spring Security↗2019-06-27

▶

CVEList

PlaintextPasswordEncoder authenticates encoded passwords that are null↗2019-06-26

▶

📋Vendor Advisories

Red Hat

spring-security-core: mishandling of user passwords allows logging in with a password of NULL↗2019-07-11

▶

💬Community

Bugzilla

CVE-2019-11272 spring-security-core: mishandling of user passwords allows logging in with a password of NULL↗2019-07-11

▶