CVE-2019-11272 – org.springframework.security:spring-security-core

Package

Manager: maven
Name: org.springframework.security:spring-security-core
Vulnerable Version: >=0 <4.2.13

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00407 pctl0.60352

Details

Insufficiently Protected Credentials and Improper Authentication in Spring Security Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of ?null?.

Metadata

Created: 2019-06-27T17:24:58Z
Modified: 2021-06-09T20:12:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-v33x-prhc-gph5/GHSA-v33x-prhc-gph5.json
CWE IDs: ["CWE-287", "CWE-522"]
Alternative ID: GHSA-v33x-prhc-gph5
Finding: F035
Auto approve: 1