Vulnerability: Authentication Bypass via Null Password in Spring Security

Vulnerability: Authentication Bypass via Null Password in Spring Security

CVE-2019-11272 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".

Learn more about our User Device Pen Test.