Candidate: CVE-2019-11272
PublicDate: 2019-06-26 14:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11272
 https://github.com/spring-projects/spring-security/commit/b2d4fec3617c497c5a8eb9c7e5270e0c7db293ee
Description:
 Spring Security, versions 4.2.x up to 4.2.12, and older unsupported
 versions support plain text passwords using PlaintextPasswordEncoder. If an
 application using an affected version of Spring Security is leveraging
 PlaintextPasswordEncoder and a user has a null encoded password, a
 malicious user (or attacker) can authenticate using a password of "null".
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L [7.3 HIGH]
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L [7.3 HIGH]


Patches_libspring-security-2.0-java:
upstream_libspring-security-2.0-java: needs-triage
precise/esm_libspring-security-2.0-java: DNE
trusty_libspring-security-2.0-java: ignored (out of standard support)
trusty/esm_libspring-security-2.0-java: DNE
xenial_libspring-security-2.0-java: DNE
bionic_libspring-security-2.0-java: DNE
focal_libspring-security-2.0-java: DNE
devel_libspring-security-2.0-java: DNE