Vulnerability Description
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vmware | Spring Security | < 4.2.13 |
| Debian | Debian Linux | 8.0 |
Related Weaknesses (CWE)
References
- https://lists.debian.org/debian-lts-announce/2019/07/msg00008.htmlMailing ListThird Party Advisory
- https://pivotal.io/security/cve-2019-11272Vendor Advisory
- https://lists.debian.org/debian-lts-announce/2019/07/msg00008.htmlMailing ListThird Party Advisory
- https://pivotal.io/security/cve-2019-11272Vendor Advisory
FAQ
What is CVE-2019-11272?
CVE-2019-11272 is a vulnerability with a CVSS score of 7.3 (HIGH). Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security...
How severe is CVE-2019-11272?
CVE-2019-11272 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-11272?
Check the references section above for vendor advisories and patch information. Affected products include: Vmware Spring Security, Debian Debian Linux.