Bug 1728993 (CVE-2019-11272) - CVE-2019-11272 spring-security-core: mishandling of user passwords allows logging in with a password of NULL
Summary: CVE-2019-11272 spring-security-core: mishandling of user passwords allows log...
Alias: CVE-2019-11272
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
Blocks: 1728994
TreeView+ depends on / blocked
Reported: 2019-07-11 07:35 UTC by Marian Rehak
Modified: 2021-02-16 21:44 UTC (History)
17 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Spring Security in several versions, in the use of plain text passwords using the PlaintextPasswordEncoder. If an application is using an affected version of Spring Security with the PlaintextPasswordEncoder and a user has a null encoded password, an attacker can use this flaw to authenticate using a password of "null."
Clone Of:
Last Closed: 2020-03-26 16:32:25 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:0983 0 None None None 2020-03-26 15:47:49 UTC

Description Marian Rehak 2019-07-11 07:35:13 UTC
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".

External References:


Comment 2 Joshua Padman 2019-07-24 05:03:59 UTC

Red Hat OpenStack Platform's OpenDaylight versions 9 and 10 contain the vulnerable code. However, these OpenDaylight versions were released as technical preview with limited support and will therefore not be updated. Other OpenDaylight versions do not contain the vulnerable library.

Comment 5 Jonathan Christison 2019-10-11 16:28:03 UTC
Re-scoring lower (5.0/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L) based on the following information 

* Pivotal mark this as "low" - https://pivotal.io/security/cve-2019-11272
* The application would have to be written in such a way that would permit the transport of null passwords through several methods, which would defy security practices for password handling in applications 

The following have been changed to reflect this: 
AC (L->H): isPasswordValid would have to be passed a null, not using the provided encodePassword method, the documentation states "the encoded password should have previously been generated by encodePassword(String, Object). This method will encode the rawPass (using the optional salt), and then compared it with the presented encPass." 

UI (N->R): Only user accounts with a null password (created incorrectly) would be affected

Comment 7 errata-xmlrpc 2020-03-26 15:47:46 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.6.0

Via RHSA-2020:0983 https://access.redhat.com/errata/RHSA-2020:0983

Comment 8 Product Security DevOps Team 2020-03-26 16:32:25 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.