[MAVEN:GHSA-V33X-PRHC-GPH5] Insufficiently Protected Credentials and Improper Authentication in Spring Security
Severity
High
Affected Packages
2
Fixed Packages
2
CVEs
1
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of ?null?.
| Package | Affected Version |
|---|---|
 pkg:maven/org.springframework.security/spring-security-core
|
<= 4.2.12 |
|
pkg:maven/org.springframework.security/spring-security-cas
|
<= 4.2.12.RELEASE |
| Package | Fixed Version |
|---|---|
|
pkg:maven/org.springframework.security/spring-security-core
|
= 4.2.13 |
|
pkg:maven/org.springframework.security/spring-security-cas
|
= 4.2.13.RELEASE |
- ID
- MAVEN:GHSA-V33X-PRHC-GPH5
- Severity
- high
- URL
- https://github.com/advisories/GHSA-v33x-prhc-gph5
- Published
-
2019-06-27T17:24:58
(5 years ago) - Modified
-
2023-01-28T05:00:56
(19 months ago) - Rights
- Maven Security Team
| Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
|---|---|---|---|---|---|---|---|
| Affected | pkg:maven/org.springframework.security/spring-security-core | org.springframework.security |
spring-security-core
|
<= 4.2.12 | |||
| Fixed | pkg:maven/org.springframework.security/spring-security-core | org.springframework.security |
spring-security-core
|
= 4.2.13 | |||
| Affected | pkg:maven/org.springframework.security/spring-security-cas | org.springframework.security |
spring-security-cas
|
<= 4.2.12.RELEASE | |||
| Fixed | pkg:maven/org.springframework.security/spring-security-cas | org.springframework.security |
spring-security-cas
|
= 4.2.13.RELEASE |
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |