PlaintextPasswordEncoder authenticates encoded passwords that are null
Description
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Spring Security PlaintextPasswordEncoder allows authentication with password "null" when stored password is null.
Vulnerability
Overview
CVE-2019-11272 affects Spring Security versions 4.2.x up to 4.2.12 and older unsupported versions. The vulnerability arises in the PlaintextPasswordEncoder, which stores passwords as plaintext. When a user's encoded password is stored as null, the authentication logic incorrectly accepts the literal string "null" as a valid password [1].
Exploitation
An attacker can exploit this flaw by simply providing the password "null" during authentication. No special privileges or network access beyond standard authentication endpoints are required. The vulnerability only applies to applications that use PlaintextPasswordEncoder and have users with null encoded passwords, which might occur due to misconfiguration or data corruption [1].
Impact
Successful exploitation allows an attacker to authenticate as any user whose stored password is null, gaining the same access privileges as that user. This can lead to unauthorized access to sensitive data or functions within the application [1].
Mitigation
Spring Security has addressed this flaw starting from version 4.2.13. Users should upgrade to a patched version or migrate from PlaintextPasswordEncoder to stronger password encoders (e.g., BCryptPasswordEncoder). For users still on unsupported versions, upgrading to a supported release is strongly recommended [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.security:spring-security-coreMaven | < 4.2.13 | 4.2.13 |
org.springframework.security:spring-security-casMaven | < 4.2.13.RELEASE | 4.2.13.RELEASE |
Affected products
3- ghsa-coords2 versionspkg:maven/org.springframework.security/spring-security-caspkg:maven/org.springframework.security/spring-security-core
< 4.2.13.RELEASE+ 1 more
- (no CPE)range: < 4.2.13.RELEASE
- (no CPE)range: < 4.2.13
- Spring/Spring Securityv5Range: 4.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-v33x-prhc-gph5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-11272ghsaADVISORY
- lists.debian.org/debian-lts-announce/2019/07/msg00008.htmlghsamailing-listx_refsource_MLISTWEB
- pivotal.io/security/cve-2019-11272ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.