CVE-2019-11272

Name of the Vulnerable Software and Affected Versions Spring Security versions 4.2.x up to 4.2.12

Description The issue is related to the implementation of the PlaintextPasswordEncoder class in the Spring Security Java framework, which is used to secure industrial applications. It is associated with weaknesses in managing registration data. Exploitation of this issue may allow a remote attacker to gain unauthorized access to protected information using a null password. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user can authenticate using a password of "null".

Recommendations For Spring Security versions 4.2.x up to 4.2.12, consider disabling the use of PlaintextPasswordEncoder until a patch is available to prevent malicious users from authenticating with a null password. Restrict access to applications that leverage PlaintextPasswordEncoder to minimize the risk of exploitation. Avoid using null encoded passwords in affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.