ASA-2019-00395 – Pivotal Spring Security: PlaintextPasswordEncoder authenticates encoded passwords that are null

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00395

Identifier(s)

ASA-2019-00395, CVE-2019-11272

Title

PlaintextPasswordEncoder authenticates encoded passwords that are null

Vendor(s)

Pivotal

Product(s)

Spring Security

Affected version(s)

Spring Security version 4.2 to 4.2.12

Fixed version(s)

Spring Security version 4.2.13

Proof of concept

Unknown

Description

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of “null”.

Technical details

Unknown

Credits

Tim Büthe(mytaxi) and Daniel Neagaru (mytaxi)

Reference(s)

CVE-2019-11272: PlaintextPasswordEncoder authenticates encoded passwords that are null
https://pivotal.io/security/cve-2019-11272

CVE-2019-11272
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11272

CVE-2019-11272
https://nvd.nist.gov/vuln/detail/CVE-2019-11272

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: June 29, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.