CVE-2019-11272

HIGH

Spring Security 4.2.x < 4.2.13 - Authentication Bypass via Null Password

Title source: llm

Description

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://pivotal.io/security/cve-2019-11272

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2019/07/msg00008.html

Scores

CVSS v3 7.3

EPSS 0.0041

EPSS Percentile 61.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Details

CWE

CWE-522 CWE-287

Status published

Products (4)

debian/debian_linux 8.0

org.springframework.security/spring-security-cas 0 - 4.2.13.RELEASEMaven

org.springframework.security/spring-security-core 0 - 4.2.13Maven

vmware/spring_security < 4.2.13

Published Jun 26, 2019

Tracked Since Feb 18, 2026