Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: pivotal

Published: 2019-06-26T14:06:15.312137Z

Updated: 2024-09-16T19:25:59.208Z

Reserved: 2019-04-18T00:00:00

Link: CVE-2019-11272

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2019-06-26T14:15:09.980

Modified: 2024-11-21T04:20:49.703

Link: CVE-2019-11272

cve-icon Redhat

Severity : Important

Publid Date: 2019-07-11T00:00:00Z

Links: CVE-2019-11272 - Bugzilla