{"containers": {"cna": {"affected": [{"product": "Spring Security", "vendor": "Spring", "versions": [{"lessThan": "4.2.13.RELEASE", "status": "affected", "version": "4.2", "versionType": "custom"}]}], "datePublic": "2019-06-20T00:00:00", "descriptions": [{"lang": "en", "value": "Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of \"null\"."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287: Improper Authentication - Generic", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-07-09T08:06:02", "orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03", "shortName": "pivotal"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://pivotal.io/security/cve-2019-11272"}, {"name": "[debian-lts-announce] 20190709 [SECURITY] [DLA 1848-1] libspring-security-2.0-java security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00008.html"}], "source": {"discovery": "UNKNOWN"}, "title": "PlaintextPasswordEncoder authenticates encoded passwords that are null", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@pivotal.io", "DATE_PUBLIC": "2019-06-20T20:19:44.000Z", "ID": "CVE-2019-11272", "STATE": "PUBLIC", "TITLE": "PlaintextPasswordEncoder authenticates encoded passwords that are null"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Spring Security", "version": {"version_data": [{"affected": "<", "version_affected": "<", "version_name": "4.2", "version_value": "4.2.13.RELEASE"}]}}]}, "vendor_name": "Spring"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of \"null\"."}]}, "impact": null, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-287: Improper Authentication - Generic"}]}]}, "references": {"reference_data": [{"name": "https://pivotal.io/security/cve-2019-11272", "refsource": "CONFIRM", "url": "https://pivotal.io/security/cve-2019-11272"}, {"name": "[debian-lts-announce] 20190709 [SECURITY] [DLA 1848-1] libspring-security-2.0-java security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00008.html"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:48:09.049Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://pivotal.io/security/cve-2019-11272"}, {"name": "[debian-lts-announce] 20190709 [SECURITY] [DLA 1848-1] libspring-security-2.0-java security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00008.html"}]}]}, "cveMetadata": {"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03", "assignerShortName": "pivotal", "cveId": "CVE-2019-11272", "datePublished": "2019-06-26T14:06:15.312137Z", "dateReserved": "2019-04-18T00:00:00", "dateUpdated": "2024-09-16T19:25:59.208Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "B45AEB53-BA11-4B6C-9FDE-E4B925D90E1D", "versionEndExcluding": "4.2.13", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of \"null\"."}, {"lang": "es", "value": "Spring Security, versiones 4.2.x hasta 4.2.12, y versiones anteriores no compatibles admiten contrase\u00f1as de texto sin formato mediante PlaintextPasswordEncoder. Si una aplicaci\u00f3n que usa una versi\u00f3n afectada de Spring Security est\u00e1 aprovechando PlaintextPasswordEncoder y un usuario tiene una contrase\u00f1a codificada nula, un usuario malicioso (o atacante) puede identificarse usando una contrase\u00f1a de \"null\"."}], "id": "CVE-2019-11272", "lastModified": "2025-09-12T19:44:04.127", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-06-26T14:15:09.980", "references": [{"source": "security@pivotal.io", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00008.html"}, {"source": "security@pivotal.io", "tags": ["Vendor Advisory"], "url": "https://pivotal.io/security/cve-2019-11272"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00008.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://pivotal.io/security/cve-2019-11272"}], "sourceIdentifier": "security@pivotal.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security@pivotal.io", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2020:0983", "cpe": "cpe:/a:redhat:jboss_fuse:7", "impact": "moderate", "package": "spring-security-core", "product_name": "Red Hat Fuse 7.6.0", "release_date": "2020-03-26T00:00:00Z"}], "bugzilla": {"description": "spring-security-core: mishandling of user passwords allows logging in with a password of NULL", "id": "1728993", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1728993"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "verified"}, "cwe": "CWE-305", "details": ["Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of \"null\".", "A flaw was found in Spring Security in several versions, in the use of plain text passwords using the PlaintextPasswordEncoder. If an application is using an affected version of Spring Security with the PlaintextPasswordEncoder and a user has a null encoded password, an attacker can use this flaw to authenticate using a password of \"null.\""], "name": "CVE-2019-11272", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "impact": "moderate", "package_name": "spring-security-core", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Not affected", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Not affected", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:14", "fix_state": "Not affected", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 14 (Rocky)"}, {"cpe": "cpe:/a:redhat:openstack:8", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 8 (Liberty)"}, {"cpe": "cpe:/a:redhat:openstack:9", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 9 (Mitaka)"}], "public_date": "2019-07-11T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-11272\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-11272\nhttps://pivotal.io/security/cve-2019-11272"], "statement": "Red Hat OpenStack Platform's OpenDaylight versions 9 and 10 contain the vulnerable code. However, these OpenDaylight versions were released as technical preview with limited support and will therefore not be updated. Other OpenDaylight versions do not contain the vulnerable library.", "threat_severity": "Important"}

{}