Bug 1728993 (CVE-2019-11272) - CVE-2019-11272 spring-security-core: mishandling of user passwords allows logging in with a password of NULL
Summary: CVE-2019-11272 spring-security-core: mishandling of user passwords allows log...
Keywords:
Status: NEW
Alias: CVE-2019-11272
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1728994
TreeView+ depends on / blocked
 
Reported: 2019-07-11 07:35 UTC by Marian Rehak
Modified: 2019-12-23 12:20 UTC (History)
17 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Marian Rehak 2019-07-11 07:35:13 UTC
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".

External References:

https://pivotal.io/security/cve-2019-11272

Comment 2 Joshua Padman 2019-07-24 05:03:59 UTC
Statement:

Red Hat OpenStack Platform's OpenDaylight versions 9 and 10 contain the vulnerable code. However, these OpenDaylight versions were released as technical preview with limited support and will therefore not be updated. Other OpenDaylight versions do not contain the vulnerable library.

Comment 5 Jonathan Christison 2019-10-11 16:28:03 UTC
Re-scoring lower (5.0/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L) based on the following information 

* Pivotal mark this as "low" - https://pivotal.io/security/cve-2019-11272
* The application would have to be written in such a way that would permit the transport of null passwords through several methods, which would defy security practices for password handling in applications 

The following have been changed to reflect this: 
AC (L->H): isPasswordValid would have to be passed a null, not using the provided encodePassword method, the documentation states "the encoded password should have previously been generated by encodePassword(String, Object). This method will encode the rawPass (using the optional salt), and then compared it with the presented encPass." 

UI (N->R): Only user accounts with a null password (created incorrectly) would be affected


Note You need to log in before you can comment on or make changes to this bug.