Merge pull request #2208 from pivotal-cf/master

Adding Pivotal CVE-2019-11272
2025-06-12 02:05:39 +00:00 · 2019-06-26 10:07:33 -04:00 · 2019-06-26 10:07:33 -04:00 · 7c7570a52a
commit 7c7570a52a
parent 55c1e75b02 178ba8e904
1 changed files with 56 additions and 4 deletions
--- a/2019/11xxx/CVE-2019-11272.json
+++ b/2019/11xxx/CVE-2019-11272.json
@ -3,16 +3,68 @@
    "data_format": "MITRE",
    "data_version": "4.0",
    "CVE_data_meta": {
+        "ASSIGNER": "security@pivotal.io",
+        "DATE_PUBLIC": "2019-06-20T20:19:44.000Z",
        "ID": "CVE-2019-11272",
-        "ASSIGNER": "cve@mitre.org",
-        "STATE": "RESERVED"
+        "STATE": "PUBLIC",
+        "TITLE": "PlaintextPasswordEncoder authenticates encoded passwords that are null"
+    },
+    "source": {
+        "discovery": "UNKNOWN"
+    },
+    "affects": {
+        "vendor": {
+            "vendor_data": [
+                {
+                    "product": {
+                        "product_data": [
+                            {
+                                "product_name": "Spring Security",
+                                "version": {
+                                    "version_data": [
+                                        {
+                                            "affected": "<",
+                                            "version_name": "4.2",
+                                            "version_value": "4.2.13.RELEASE"
+                                        }
+                                    ]
+                                }
+                            }
+                        ]
+                    },
+                    "vendor_name": "Spring"
+                }
+            ]
+        }
    },
    "description": {
        "description_data": [
            {
                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+                "value": "Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of “null”.\n"
            }
        ]
-    }
+    },
+    "problemtype": {
+        "problemtype_data": [
+            {
+                "description": [
+                    {
+                        "lang": "eng",
+                        "value": "CWE-287: Improper Authentication - Generic"
+                    }
+                ]
+            }
+        ]
+    },
+    "references": {
+        "reference_data": [
+            {
+                "refsource": "CONFIRM",
+                "url": "https://pivotal.io/security/cve-2019-11272",
+                "name": "https://pivotal.io/security/cve-2019-11272"
+            }
+        ]
+    },
+    "impact": null
 }