CVE-2019-11272

Sažetak

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".

Reference

https://lists.debian.org/debian-lts-announce/2019/07/msg00008.html
https://pivotal.io/security/cve-2019-11272
https://lists.debian.org/debian-lts-announce/2019/07/msg00008.html
https://pivotal.io/security/cve-2019-11272

CVSS

Base:	7.5
Impact:	6.4
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:L/Au:N/C:P/I:P/A:P

Zadnje važnije ažuriranje

12-09-2025 - 19:44

Objavljeno

26-06-2019 - 14:15