CVE-2019-11272: PlaintextPasswordEncoder authenticates encoded passwords that are null
First published: Thu Jun 20 2019(Updated: )
A flaw was found in Spring Security in several versions, in the use of plain text passwords using the PlaintextPasswordEncoder. If an application is using an affected version of Spring Security with the PlaintextPasswordEncoder and a user has a null encoded password, an attacker can use this flaw to authenticate using a password of "null."
Credit: security@pivotal.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM GDE | <=3.0.0.2 | |
| Vmware Spring Security | >=4.2.0<=4.2.12 | |
| Debian Debian Linux | =8.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2019-11272 https://nvd.nist.gov/vuln/detail/CVE-2019-11272 https://pivotal.io/security/cve-2019-11272
- https://bugzilla.redhat.com/show_bug.cgi?id=1728993
- https://access.redhat.com/errata/RHSA-2020:0983
- https://access.redhat.com/security/cve/cve-2019-11272
- https://lists.debian.org/debian-lts-announce/2019/07/msg00008.html
- https://pivotal.io/security/cve-2019-11272
- https://exchange.xforce.ibmcloud.com/vulnerabilities/166568
- https://www.ibm.com/support/pages/node/6320835 (Advisory)
Frequently Asked Questions
What is CVE-2019-11272?
CVE-2019-11272 is a vulnerability in Pivotal Spring Security that could allow a remote attacker to bypass security restrictions caused by a plain text password.
What versions of Spring Security are affected by CVE-2019-11272?
Spring Security versions 4.2.x up to 4.2.12, and older unsupported versions are affected by CVE-2019-11272.
How can a remote attacker exploit CVE-2019-11272?
A remote attacker can exploit CVE-2019-11272 by leveraging a null encoded password when an application is using the affected version of Spring Security with PlaintextPasswordEncoder.
What is the severity of CVE-2019-11272?
CVE-2019-11272 has a severity rating of 7.3 (high).
How can I fix CVE-2019-11272?
To fix CVE-2019-11272, it is recommended to upgrade to a patched version of Spring Security (4.2.13 or later) or apply the necessary security updates provided by the vendor.
- collector/redhat-cve
- collector/nvd-index
- agent/softwarecombine
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-11272
- agent/type
- agent/severity
- agent/weakness
- agent/author
- agent/description
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/title
- agent/tags
- agent/first-publish-date
- agent/event
- vendor/vmware
- canonical/vmware spring security
- version/vmware spring security/4.2.0
- version/vmware spring security/4.2.12
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- vendor/ibm
- canonical/ibm gde
- version/ibm gde/3.0.0.2