Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-11272

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".

Published

2019-06-26T14:15:09.980

Last Modified

2024-11-21T04:20:49.703

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.3 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

6.4

Weaknesses

Type: Secondary
CWE-287
Type: Primary
CWE-522

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	vmware	spring_security	≤ 4.2.12	Yes
Operating System	debian	debian_linux	8.0	Yes

References

https://lists.debian.org/debian-lts-announce/2019/07/msg00008.html Mailing List, Third Party Advisory ([email protected])
https://pivotal.io/security/cve-2019-11272 Vendor Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2019/07/msg00008.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://pivotal.io/security/cve-2019-11272 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)