Insufficiently Protected Credentials and Improper Authentication in Spring Security

GHSA-v33x-prhc-gph5 · CVE-2019-11272

Published Jun 27, 2019 · Modified Nov 8, 2023

Description

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of ?null?.

References

7.3 / 10

HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Affected Packages

Maven/org.springframework.security:spring-security-cas

Fix 4.2.13.RELEASE

Introduced 0

43 affected versions

3.1.0.RELEASE3.1.1.RELEASE3.1.2.RELEASE3.1.3.RELEASE3.1.4.RELEASE3.1.5.RELEASE3.1.6.RELEASE3.1.7.RELEASE3.2.0.RELEASE3.2.1.RELEASE3.2.10.RELEASE3.2.2.RELEASE3.2.3.RELEASE3.2.4.RELEASE3.2.5.RELEASE3.2.6.RELEASE3.2.7.RELEASE3.2.8.RELEASE3.2.9.RELEASE4.0.0.RELEASE +23 more

Maven/org.springframework.security:spring-security-core

Fix 4.2.13

Introduced 0

61 affected versions

2.0.02.0.12.0.22.0.32.0.42.0.5.RELEASE2.0.6.RELEASE2.0.7.RELEASE2.0.8.RELEASE3.0.0.RELEASE3.0.1.RELEASE3.0.2.RELEASE3.0.3.RELEASE3.0.4.RELEASE3.0.5.RELEASE3.0.6.RELEASE3.0.7.RELEASE3.0.8.RELEASE3.1.0.RELEASE3.1.1.RELEASE +41 more

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes