CVE-2019-11272
libspring-security-2.0-java - security update
7.3
HIGH
CVSS 3.1
EPSS 0.41%
Description
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of ?null?.
How to fix CVE-2019-11272
To remediate CVE-2019-11272, upgrade the affected package to a fixed version below.
- —upgrade to 2.0.7.RELEASE-3+deb8u2 or later
- —upgrade to 4.2.13.RELEASE or later
- —upgrade to 4.2.13 or later
Is CVE-2019-11272 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 2.0.7.RELEASE-3+deb8u2
- from 0, < 4.2.13.RELEASE
- from 0, < 4.2.13
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |