Debian DLA-1848-1 : libspring-security-2.0-java security update

Spring Security support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user or attacker can authenticate using a password of 'null'. For...

[SECURITY] [DLA 1848-1] libspring-security-2.0-java security update

Package : libspring-security-2.0-java Version : 2.0.7.RELEASE-3+deb8u2 CVE ID : CVE-2019-11272 Spring Security support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null...

Security Bulletin: Remote code execution vulnerability (CVE-2019-11269) affects IBM Spectrum Symphony 7.2.1 and 7.2.0.2

Summary A remote code execution vulnerability exists in the Spring Security OAuth version used by IBM Spectrum Symphony 7.2.1 and 7.2.0.2. Interim fixes that provide instructions on upgrading the Spring Security OAuth package to version 2.0.18 which resolves this vulnerability are available on IB...

Insufficiently Protected Credentials and Improper Authentication in Spring Security

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user ...

ai.foremast.metrics:foremast-spring-boot-1x-k8s-metrics-starter (>=0.1.6 <=0.1.7), ai.foremast.metrics:foremast-spring-boot-k8s-metrics-starter (>=0.1.4-SB1X <=0.1.4-SB1X_6) +2588 more potentially affected by CVE-2019-11272 via org.springframework.security:spring-security-core (>=2.0.0 <=4.2.12.RELEASE)

org.springframework.security:spring-security-core MAVEN version =2.0.0, =0.1.6, =0.1.4-SB1X, =1.0.0, =1.0.0, =1.0.0, =1.1.0.RELEASE, =1.1.1, =1.3.1-RELEASE, =0.3.3, =0.1, =1.0.0, =1.2.1, =2.0.0, =3.0.3, =3.0.6 and more Source cves: CVE-2019-11272 Source advisory: OSV:GHSA-V33X-PRHC-GPH5...

GHSA-V33X-PRHC-GPH5 Insufficiently Protected Credentials and Improper Authentication in Spring Security

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user ...

cn.dceast.platform:platform-security-starter (=2.2.3), com.ahome-it:ahome-tooling-server-core (>=1.0.83-RC1 <=1.0.114-RELEASE) +45 more potentially affected by CVE-2019-11272 via org.springframework.security:spring-security-cas (>=3.1.0.RELEASE <=4.1.3.RELEASE)

org.springframework.security:spring-security-cas MAVEN version =3.1.0.RELEASE, =1.0.83-RC1, =1.0.88-RC1, =1.0.83-RC1, =1.0.83-RC1, =1.0.83-RC1, =1.0.0, =0.3.1, =0.3.1, =0.3.2 and more Source cves: CVE-2019-11272 Source advisory: OSV:GHSA-V33X-PRHC-GPH5...

Authentication Bypass Via Null Authentication

spring-security is vulnerable to authentication bypass. The cause of vulnerability is due to the use of PlaintextPasswordEncoder, validating the authentication of a user if a null encoded password is entered...

CVE-2019-11272

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user ...

CVE-2019-11272

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user ...

Design/Logic Flaw

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user ...

CVE-2019-11272

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user ...

CVE-2019-11272 PlaintextPasswordEncoder authenticates encoded passwords that are null

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user ...

CVE-2019-11272

CVE-2019-11272 affects Spring Security where PlaintextPasswordEncoder can allow login with a password of "null" if an encoded password is null. Affected: Spring Security 4.2.x up to 4.2.12 and older unsupported versions. Root cause: using PlaintextPasswordEncoder with null encoded passwords. Impa...

Pivotal Software Spring Security Authentication Vulnerability

Pivotal Software Spring Security is a suite of security frameworks from Pivotal Software, Inc. that provide illustrative security protection for Spring-based applications. A security vulnerability exists in Pivotal Software Spring Security versions 4.2.x through 4.2.12 and older versions that are...

Security Bulletin: Remote code execution vulnerability (CVE-2019-3778) affects IBM Spectrum Symphony 7.2.0.2 and 7.2.1

Summary Interim fixes are needed to upgrade the Spring Security OAuth package in IBM Spectrum Symphony 7.2.0.2 and 7.2.1 to resolve the remote code execution vulnerability CVE-2019-3778. Vulnerability Details CVE-ID: CVE-2019-3778 Description: Spring Security OAuth could allow a remote attacker t...

Spring Security OAuth - Open Redirector Vulnerability

Exploit for java platform in category web applications Exploit Title: Open Redirector in spring-security-oauth2 Exploit Author: Riemann Vendor Homepage: https://spring.io/projects/spring-security-oauth Software Link: https://spring.io Version: Spring Security OAuth versions 2.3 prior to 2.3.6...

Spring Security OAuth - Open Redirector

Exploit Title: Open Redirector in spring-security-oauth2 Date: 17 June 2019 Exploit Author: Riemann Vendor Homepage: https://spring.io/projects/spring-security-oauth Software Link: https://spring.io Version: Spring Security OAuth versions 2.3 prior to 2.3.6...

Spring Security OAuth 2.3 Open Redirection

Exploit Title: Open Redirector in spring-security-oauth2 Date: 17 June 2019 Exploit Author: Riemann Vendor Homepage: https://spring.io/projects/spring-security-oauth Software Link: https://spring.io Version: Spring Security OAuth versions 2.3 prior to 2.3.6...

GHSA-MMF6-6597-3V6M Open Redirect in Spring Security OAuth

Spring Security OAuth versions 2.3 prior to 2.3.6, 2.2 prior to 2.2.5, 2.1 prior to 2.1.5, and 2.0 prior to 2.0.18, as well as older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the...