WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2019-11272 Vulnerability in maven package org.springframework.security:spring-security-core

Description

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".

Remediation

References

https://lists.debian.org/debian-lts-announce/2019/07/msg00008.html

https://pivotal.io/security/cve-2019-11272

Related Vulnerabilities

CVE-2019-10648 Vulnerability in maven package net.sf.robocode:robocode

CVE-2022-0436 Vulnerability in maven package org.webjars.npm:grunt

CVE-2022-29894 Vulnerability in npm package strapi

CVE-2020-7607 Vulnerability in npm package gulp-styledocco

CVE-2020-13942 Vulnerability in maven package org.apache.unomi:unomi-common

Severity

High

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Tags

Mailing List Third Party Advisory Vendor Advisory