← volver
CVE-2019-11272

PlaintextPasswordEncoder authenticates encoded passwords that are null

EPSS 1.4%CWE-287
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
Productos afectados
Spring · Spring Security

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://lists.debian.org/debian-lts-announce/2019/07/msg00008.htmlhttps://pivotal.io/security/cve-2019-11272