CVE-2019-11272

HIGH7.3EPSS 0.41%

libspring-security-2.0-java - security update

發布日:2019/6/27修改日:2026/3/9

描述

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of ?null?.

受影響套件(3)

Debian/libspring-security-2.0-javafrom 0, < 2.0.7.RELEASE-3+deb8u2
Maven/org.springframework.security:spring-security-casfrom 0, < 4.2.13.RELEASE
Maven/org.springframework.security:spring-security-corefrom 0, < 4.2.13

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

參考連結(3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-11272
WEBhttps://lists.debian.org/debian-lts-announce/2019/07/msg00008.html
WEBhttps://pivotal.io/security/cve-2019-11272