Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null". External References: https://pivotal.io/security/cve-2019-11272
Statement: Red Hat OpenStack Platform's OpenDaylight versions 9 and 10 contain the vulnerable code. However, these OpenDaylight versions were released as technical preview with limited support and will therefore not be updated. Other OpenDaylight versions do not contain the vulnerable library.
Re-scoring lower (5.0/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L) based on the following information * Pivotal mark this as "low" - https://pivotal.io/security/cve-2019-11272 * The application would have to be written in such a way that would permit the transport of null passwords through several methods, which would defy security practices for password handling in applications The following have been changed to reflect this: AC (L->H): isPasswordValid would have to be passed a null, not using the provided encodePassword method, the documentation states "the encoded password should have previously been generated by encodePassword(String, Object). This method will encode the rawPass (using the optional salt), and then compared it with the presented encPass." UI (N->R): Only user accounts with a null password (created incorrectly) would be affected
This issue has been addressed in the following products: Red Hat Fuse 7.6.0 Via RHSA-2020:0983 https://access.redhat.com/errata/RHSA-2020:0983
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11272