Описание
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
A flaw was found in Spring Security in several versions, in the use of plain text passwords using the PlaintextPasswordEncoder. If an application is using an affected version of Spring Security with the PlaintextPasswordEncoder and a user has a null encoded password, an attacker can use this flaw to authenticate using a password of "null."
Отчет
Red Hat OpenStack Platform's OpenDaylight versions 9 and 10 contain the vulnerable code. However, these OpenDaylight versions were released as technical preview with limited support and will therefore not be updated. Other OpenDaylight versions do not contain the vulnerable library.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat JBoss Fuse 6 | spring-security-core | Out of support scope | ||
| Red Hat OpenStack Platform 10 (Newton) | opendaylight | Not affected | ||
| Red Hat OpenStack Platform 13 (Queens) | opendaylight | Not affected | ||
| Red Hat OpenStack Platform 14 (Rocky) | opendaylight | Not affected | ||
| Red Hat OpenStack Platform 8 (Liberty) | opendaylight | Will not fix | ||
| Red Hat OpenStack Platform 9 (Mitaka) | opendaylight | Will not fix | ||
| Red Hat Fuse 7.6.0 | spring-security-core | Fixed | RHSA-2020:0983 | 26.03.2020 |
Показывать по
Дополнительная информация
Статус:
7.3 High
CVSS3
Связанные уязвимости
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported ve ...
Insufficiently Protected Credentials and Improper Authentication in Spring Security
Уязвимость реализации класса PlaintextPasswordEncoder Java-фреймворка для обеспечения безопасности промышленных приложений Spring Security, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
7.3 High
CVSS3