CVE-2019-11272

HIGH

Vmware Spring Security < 4.2.13 - Authentication Bypass

Title source: rule

Description

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".

References (2)

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2019/07/msg00008.html

[Vendor Advisory] https://pivotal.io/security/cve-2019-11272

Scores

CVSS v3 7.3

EPSS 0.0041

EPSS Percentile 60.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Classification

CWE

CWE-522 CWE-287

Status published

Affected Products (4)

vmware/spring_security < 4.2.13

debian/debian_linux

org.springframework.security/spring-security-core < 4.2.13Maven

org.springframework.security/spring-security-cas < 4.2.13.RELEASEMaven

Timeline

Published Jun 26, 2019

Tracked Since Feb 18, 2026