Description
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
Remediation
References
https://lists.debian.org/debian-lts-announce/2019/07/msg00008.html
https://pivotal.io/security/cve-2019-11272
Related Vulnerabilities
CVE-2022-4111 Vulnerability in npm package tooljet
CVE-2023-31206 Vulnerability in maven package org.apache.inlong:manager-dao
CVE-2020-28278 Vulnerability in npm package shvl
CVE-2021-30179 Vulnerability in maven package org.apache.dubbo:dubbo
CVE-2020-11990 Vulnerability in npm package cordova-plugin-camera