Vulnerability Details CVE-2019-11272
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 60.1%
CVSS Severity
CVSS v3 Score 7.3
CVSS v2 Score 7.5
References
Products affected by CVE-2019-11272
-
cpe:2.3:a:vmware:spring_security:4.2.0
-
cpe:2.3:a:vmware:spring_security:4.2.1
-
cpe:2.3:a:vmware:spring_security:4.2.10
-
cpe:2.3:a:vmware:spring_security:4.2.11
-
cpe:2.3:a:vmware:spring_security:4.2.12
-
cpe:2.3:a:vmware:spring_security:4.2.2
-
cpe:2.3:a:vmware:spring_security:4.2.3
-
cpe:2.3:a:vmware:spring_security:4.2.4
-
cpe:2.3:a:vmware:spring_security:4.2.5
-
cpe:2.3:a:vmware:spring_security:4.2.6
-
cpe:2.3:a:vmware:spring_security:4.2.7
-
cpe:2.3:a:vmware:spring_security:4.2.9
-
cpe:2.3:o:debian:debian_linux:8.0