CVE-2019-11272

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
References
Configurations

Configuration 1 (hide)

cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

History

08 Jun 2021, 18:21

Type Values Removed Values Added
CPE cpe:2.3:a:pivotal_software:spring_security:*:*:*:*:*:*:*:* cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*

Information

Published : 2019-06-26 14:15

Updated : 2024-02-04 20:20


NVD link : CVE-2019-11272

Mitre link : CVE-2019-11272

CVE.ORG link : CVE-2019-11272


JSON object : View

Products Affected

vmware

  • spring_security

debian

  • debian_linux
CWE
CWE-522

Insufficiently Protected Credentials

CWE-287

Improper Authentication