High severityNVD Advisory· Published Jun 26, 2019· Updated Sep 16, 2024
PlaintextPasswordEncoder authenticates encoded passwords that are null
CVE-2019-11272
Description
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.security:spring-security-coreMaven | < 4.2.13 | 4.2.13 |
org.springframework.security:spring-security-casMaven | < 4.2.13.RELEASE | 4.2.13.RELEASE |
Affected products
3- ghsa-coords2 versionspkg:maven/org.springframework.security/spring-security-caspkg:maven/org.springframework.security/spring-security-core
< 4.2.13.RELEASE+ 1 more
- (no CPE)range: < 4.2.13.RELEASE
- (no CPE)range: < 4.2.13
- Range: 4.2
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-v33x-prhc-gph5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-11272ghsaADVISORY
- lists.debian.org/debian-lts-announce/2019/07/msg00008.htmlghsamailing-listx_refsource_MLISTWEB
- pivotal.io/security/cve-2019-11272ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.