Description
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
Remediation
References
https://lists.debian.org/debian-lts-announce/2019/07/msg00008.html
https://pivotal.io/security/cve-2019-11272
Related Vulnerabilities
CVE-2022-22984 Vulnerability in npm package @snyk/snyk-cocoapods-plugin
CVE-2021-30246 Vulnerability in maven package org.webjars.bowergithub.kjur:jsrsasign
CVE-2023-25764 Vulnerability in maven package org.jenkins-ci.plugins:email-ext
CVE-2022-2218 Vulnerability in npm package parse-url
CVE-2020-23814 Vulnerability in maven package com.xuxueli:xxl-job