Allele Security Alert
ASA-2019-00395
Identifier(s)
ASA-2019-00395, CVE-2019-11272
Title
PlaintextPasswordEncoder authenticates encoded passwords that are null
Vendor(s)
Pivotal
Product(s)
Spring Security
Affected version(s)
Spring Security version 4.2 to 4.2.12
Fixed version(s)
Spring Security version 4.2.13
Proof of concept
Unknown
Description
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of “null”.
Technical details
Unknown
Credits
Tim Büthe(mytaxi) and Daniel Neagaru (mytaxi)
Reference(s)
CVE-2019-11272: PlaintextPasswordEncoder authenticates encoded passwords that are null
https://pivotal.io/security/cve-2019-11272
CVE-2019-11272
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11272
CVE-2019-11272
https://nvd.nist.gov/vuln/detail/CVE-2019-11272
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: June 29, 2019