Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
References
Link | Resource |
---|---|
https://lists.debian.org/debian-lts-announce/2019/07/msg00008.html | Mailing List Third Party Advisory |
https://pivotal.io/security/cve-2019-11272 | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: pivotal
Published: 2019-06-20T00:00:00
Updated: 2019-07-09T08:06:02
Reserved: 2019-04-18T00:00:00
Link: CVE-2019-11272
JSON object: View
NVD Information
Status : Analyzed
Published: 2019-06-26T14:15:09.980
Modified: 2021-06-08T18:21:06.127
Link: CVE-2019-11272
JSON object: View
Redhat Information
No data.