CVE-2019-11272

HIGH7.3EPSS 0.41%

libspring-security-2.0-java - security update

Published: 6/27/2019Modified: 3/9/2026

Description

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of ?null?.

Affected packages (3)

Debian/libspring-security-2.0-javafrom 0, < 2.0.7.RELEASE-3+deb8u2
Maven/org.springframework.security:spring-security-casfrom 0, < 4.2.13.RELEASE
Maven/org.springframework.security:spring-security-corefrom 0, < 4.2.13

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-11272
WEBhttps://lists.debian.org/debian-lts-announce/2019/07/msg00008.html
WEBhttps://pivotal.io/security/cve-2019-11272