mirror of
https://github.com/CVEProject/cvelist.git
synced 2025-08-04 08:44:25 +00:00
75 lines
2.6 KiB
JSON
75 lines
2.6 KiB
JSON
{
|
|
"data_type": "CVE",
|
|
"data_format": "MITRE",
|
|
"data_version": "4.0",
|
|
"CVE_data_meta": {
|
|
"ASSIGNER": "security@pivotal.io",
|
|
"DATE_PUBLIC": "2019-06-20T20:19:44.000Z",
|
|
"ID": "CVE-2019-11272",
|
|
"STATE": "PUBLIC",
|
|
"TITLE": "PlaintextPasswordEncoder authenticates encoded passwords that are null"
|
|
},
|
|
"source": {
|
|
"discovery": "UNKNOWN"
|
|
},
|
|
"affects": {
|
|
"vendor": {
|
|
"vendor_data": [
|
|
{
|
|
"product": {
|
|
"product_data": [
|
|
{
|
|
"product_name": "Spring Security",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"affected": "<",
|
|
"version_name": "4.2",
|
|
"version_value": "4.2.13.RELEASE"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"vendor_name": "Spring"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"description": {
|
|
"description_data": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of \"null\"."
|
|
}
|
|
]
|
|
},
|
|
"problemtype": {
|
|
"problemtype_data": [
|
|
{
|
|
"description": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "CWE-287: Improper Authentication - Generic"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"references": {
|
|
"reference_data": [
|
|
{
|
|
"refsource": "CONFIRM",
|
|
"url": "https://pivotal.io/security/cve-2019-11272",
|
|
"name": "https://pivotal.io/security/cve-2019-11272"
|
|
},
|
|
{
|
|
"refsource": "MLIST",
|
|
"name": "[debian-lts-announce] 20190709 [SECURITY] [DLA 1848-1] libspring-security-2.0-java security update",
|
|
"url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00008.html"
|
|
}
|
|
]
|
|
},
|
|
"impact": null
|
|
} |