CVE-2019-11272

CVE-2019-11272: PlaintextPasswordEncoder authenticates encoded passwords that are null

Vendor Spring
Product Spring Security
Weakness CWE-287 · Improper authentication
Published June 26, 2019
Last update September 16, 2024

CVSS base score

What the vulnerability does

01Description

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".

Key dates

02Disclosure timeline

June 26, 2019 CVE published
September 16, 2024 Record updated