CVE-2019-11272: PlaintextPasswordEncoder authenticates encoded passwords that are null
Severity
Low
Vendor
Spring by Pivotal
Description
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of “null”.
Affected VMware Products and Versions
Severity is low unless otherwise noted.
- Spring Security 4.2 to 4.2.12
- Older unsupported versions are also affected
- Note that Spring Security 5+ is not impacted by this vulnerability.
Mitigation
Users of affected versions should apply the following mitigation:
- 4.2.x users should upgrade to 4.2.13
- Older versions should upgrade to a supported branch
There are no other mitigation steps necessary.
Credit
This issue was identified and responsibly reported by Tim Büthe and Daniel Neagaru from mytaxi.
History
2019-06-19: Initial vulnerability report published