Описание
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
Ссылки
- Mailing ListThird Party Advisory
- Vendor Advisory
- Mailing ListThird Party Advisory
- Vendor Advisory
Уязвимые конфигурации
EPSS
7.3 High
CVSS3
7.5 High
CVSS2
Дефекты
Связанные уязвимости
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported ve ...
Insufficiently Protected Credentials and Improper Authentication in Spring Security
Уязвимость реализации класса PlaintextPasswordEncoder Java-фреймворка для обеспечения безопасности промышленных приложений Spring Security, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
EPSS
7.3 High
CVSS3
7.5 High
CVSS2