CVE-2019-11272 - OpenCVE

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Vmware	Spring Security
Debian	Debian Linux

Configuration 1 [-]

cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

References

Link	Resource
https://lists.debian.org/debian-lts-announce/2019/07/msg00008.html	Mailing List Third Party Advisory
https://pivotal.io/security/cve-2019-11272	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: pivotal

Published: 2019-06-20T00:00:00

Updated: 2019-07-09T08:06:02

Reserved: 2019-04-18T00:00:00

Link: CVE-2019-11272

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-06-26T14:15:09.980

Modified: 2021-06-08T18:21:06.127

Link: CVE-2019-11272

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Spring Security", "vendor": "Spring", "versions": [{"lessThan": "4.2.13.RELEASE", "status": "affected", "version": "4.2", "versionType": "custom"}]}], "datePublic": "2019-06-20T00:00:00", "descriptions": [{"lang": "en", "value": "Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of \"null\"."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287: Improper Authentication - Generic", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-07-09T08:06:02", "orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03", "shortName": "pivotal"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://pivotal.io/security/cve-2019-11272"}, {"name": "[debian-lts-announce] 20190709 [SECURITY] [DLA 1848-1] libspring-security-2.0-java security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00008.html"}], "source": {"discovery": "UNKNOWN"}, "title": "PlaintextPasswordEncoder authenticates encoded passwords that are null", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@pivotal.io", "DATE_PUBLIC": "2019-06-20T20:19:44.000Z", "ID": "CVE-2019-11272", "STATE": "PUBLIC", "TITLE": "PlaintextPasswordEncoder authenticates encoded passwords that are null"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Spring Security", "version": {"version_data": [{"affected": "<", "version_affected": "<", "version_name": "4.2", "version_value": "4.2.13.RELEASE"}]}}]}, "vendor_name": "Spring"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of \"null\"."}]}, "impact": null, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-287: Improper Authentication - Generic"}]}]}, "references": {"reference_data": [{"name": "https://pivotal.io/security/cve-2019-11272", "refsource": "CONFIRM", "url": "https://pivotal.io/security/cve-2019-11272"}, {"name": "[debian-lts-announce] 20190709 [SECURITY] [DLA 1848-1] libspring-security-2.0-java security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00008.html"}]}, "source": {"discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03", "assignerShortName": "pivotal", "cveId": "CVE-2019-11272", "datePublished": "2019-06-20T00:00:00", "dateReserved": "2019-04-18T00:00:00", "dateUpdated": "2019-07-09T08:06:02", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "6D2585C6-B992-451D-A58E-2311D64F78A8", "versionEndIncluding": "4.2.12", "versionStartIncluding": "4.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of \"null\"."}, {"lang": "es", "value": "Spring Security, versiones 4.2.x hasta 4.2.12, y versiones anteriores no compatibles admiten contrase\u00f1as de texto sin formato mediante PlaintextPasswordEncoder. Si una aplicaci\u00f3n que usa una versi\u00f3n afectada de Spring Security est\u00e1 aprovechando PlaintextPasswordEncoder y un usuario tiene una contrase\u00f1a codificada nula, un usuario malicioso (o atacante) puede identificarse usando una contrase\u00f1a de \"null\"."}], "id": "CVE-2019-11272", "lastModified": "2021-06-08T18:21:06.127", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-06-26T14:15:09.980", "references": [{"source": "security@pivotal.io", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00008.html"}, {"source": "security@pivotal.io", "tags": ["Vendor Advisory"], "url": "https://pivotal.io/security/cve-2019-11272"}], "sourceIdentifier": "security@pivotal.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-287"}], "source": "security@pivotal.io", "type": "Secondary"}]}