CVE-2019-11272 – org.springframework.security:spring-security-cas

Package

Manager: maven
Name: org.springframework.security:spring-security-cas
Vulnerable Version: >=0 <4.2.13.release

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00407 pctl0.60365

Details

Insufficiently Protected Credentials and Improper Authentication in Spring Security Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of ?null?.

Metadata

Created: 2019-06-27T17:24:58Z
Modified: 2021-06-09T20:12:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-v33x-prhc-gph5/GHSA-v33x-prhc-gph5.json
CWE IDs: ["CWE-287", "CWE-522"]
Alternative ID: GHSA-v33x-prhc-gph5
Finding: F035
Auto approve: 1