Allele Security Alert
PlaintextPasswordEncoder authenticates encoded passwords that are null
Spring Security version 4.2 to 4.2.12
Spring Security version 4.2.13
Proof of concept
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of “null”.
Tim Büthe(mytaxi) and Daniel Neagaru (mytaxi)
CVE-2019-11272: PlaintextPasswordEncoder authenticates encoded passwords that are null
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: June 29, 2019