CVE-2019-11272
PlaintextPasswordEncoder authenticates encoded passwords that are null
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
Spring Security, versiones 4.2.x hasta 4.2.12, y versiones anteriores no compatibles admiten contraseñas de texto sin formato mediante PlaintextPasswordEncoder. Si una aplicación que usa una versión afectada de Spring Security está aprovechando PlaintextPasswordEncoder y un usuario tiene una contraseña codificada nula, un usuario malicioso (o atacante) puede identificarse usando una contraseña de "null".
A flaw was found in Spring Security in several versions, in the use of plain text passwords using the PlaintextPasswordEncoder. If an application is using an affected version of Spring Security with the PlaintextPasswordEncoder and a user has a null encoded password, an attacker can use this flaw to authenticate using a password of "null."
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-04-18 CVE Reserved
- 2019-06-26 CVE Published
- 2023-10-20 EPSS Updated
- 2024-09-16 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-287: Improper Authentication
- CWE-305: Authentication Bypass by Primary Weakness
- CWE-522: Insufficiently Protected Credentials
CAPEC
References (4)
URL | Tag | Source |
---|---|---|
https://lists.debian.org/debian-lts-announce/2019/07/msg00008.html | Mailing List |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://pivotal.io/security/cve-2019-11272 | 2021-06-08 | |
https://access.redhat.com/security/cve/CVE-2019-11272 | 2020-03-26 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1728993 | 2020-03-26 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Vmware Search vendor "Vmware" | Spring Security Search vendor "Vmware" for product "Spring Security" | >= 4.2.0 <= 4.2.12 Search vendor "Vmware" for product "Spring Security" and version " >= 4.2.0 <= 4.2.12" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0" | - |
Affected
|