Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2019-11272 Vulnerability in maven package org.springframework.security:spring-security-core

Description

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".

Remediation

References

https://lists.debian.org/debian-lts-announce/2019/07/msg00008.html

https://pivotal.io/security/cve-2019-11272

Related Vulnerabilities

CVE-2020-8203 Vulnerability in maven package org.webjars:lodash

CVE-2023-34981 Vulnerability in maven package org.apache.tomcat:tomcat-coyote

CVE-2019-9737 Vulnerability in npm package editor.md

CVE-2023-30547 Vulnerability in npm package vm2

CVE-2022-47551 Vulnerability in maven package io.apiman:apiman-manager-api-rest-impl

Severity

High

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Tags

Mailing List Third Party Advisory Vendor Advisory