CVE-2019-11272

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-11272

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-11272.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-11272

Aliases

GHSA-v33x-prhc-gph5

Related

DLA-1848-1

Published

2019-06-26T14:15:09Z

Modified

2024-09-03T02:22:59.772512Z

Severity

7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Summary

[none]

Details

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".

References

Affected packages

Git / github.com/spring-projects/spring-security

Affected ranges

Type: GIT
Repo: https://github.com/spring-projects/spring-security
Events: Introduced

24fcb6c45a55333e5b856b6c73f14b68ceca0e19

Last affected

f154c7d9dcdebc690bf504b812db21a6d7148caf

Affected versions

4.*

4.2.0.RELEASE

4.2.1.RELEASE

4.2.10.RELEASE

4.2.11.RELEASE

4.2.12.RELEASE

4.2.2.RELEASE

4.2.3.RELEASE

4.2.4.RELEASE

4.2.5.RELEASE

4.2.6.RELEASE

4.2.7.RELEASE

4.2.9.RELEASE