CVE-2019-11272

CVE Database · CVE-2019-11272

CVE-2019-11272

· HIGHAnalyzed

CVSS v3.1

7.3

EPSS

1.37%

Published

Jun 26, 2019

Modified

Sep 12, 2025

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Weaknesses (CWE)

CWE-287CWE-522

Affected Products (2)

vmware · spring_security (up to 4.2.13)vulnerable

debian · debian_linuxvulnerable

References (4)

https://lists.debian.org/debian-lts-announce/2019/07/msg00008.html

Mailing ListThird Party Advisory

https://pivotal.io/security/cve-2019-11272

Vendor Advisory

https://lists.debian.org/debian-lts-announce/2019/07/msg00008.html

Mailing ListThird Party Advisory

https://pivotal.io/security/cve-2019-11272

Vendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs