Back to search
CVE-2019-11272
Published: Jun 26, 2019
Modified: Sep 16, 2024
PUBLISHED
Description
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
| Vendor | Product | Versions |
|---|---|---|
Spring | Spring Security | affected 4.2 - < 4.2.13.RELEASE |
Weaknesses (CWE)
References
https://pivotal.io/security/cve-2019-11272
x_refsource_CONFIRM
[debian-lts-announce] 20190709 [SECURITY] [DLA 1848-1] libspring-security-2.0-java security update
mailing-list
x_refsource_MLIST
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now