Insufficiently Protected Credentials and Improper Authentication in Spring Security

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user ...

ai.foremast.metrics:foremast-spring-boot-1x-k8s-metrics-starter (>=0.1.6 <=0.1.7), ai.foremast.metrics:foremast-spring-boot-k8s-metrics-starter (>=0.1.4-SB1X <=0.1.4-SB1X_6) +2588 more potentially affected by CVE-2019-11272 via org.springframework.security:spring-security-core (>=2.0.0 <=4.2.12.RELEASE)

org.springframework.security:spring-security-core MAVEN version =2.0.0, =0.1.6, =0.1.4-SB1X, =1.0.0, =1.0.0, =1.0.0, =1.1.0.RELEASE, =1.1.1, =1.3.1-RELEASE, =0.3.3, =0.1, =1.0.0, =1.2.1, =2.0.0, =3.0.3, =3.0.6 and more Source cves: CVE-2019-11272 Source advisory: OSV:GHSA-V33X-PRHC-GPH5...

GHSA-V33X-PRHC-GPH5 Insufficiently Protected Credentials and Improper Authentication in Spring Security

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user ...

cn.dceast.platform:platform-security-starter (=2.2.3), com.ahome-it:ahome-tooling-server-core (>=1.0.83-RC1 <=1.0.114-RELEASE) +45 more potentially affected by CVE-2019-11272 via org.springframework.security:spring-security-cas (>=3.1.0.RELEASE <=4.1.3.RELEASE)

org.springframework.security:spring-security-cas MAVEN version =3.1.0.RELEASE, =1.0.83-RC1, =1.0.88-RC1, =1.0.83-RC1, =1.0.83-RC1, =1.0.83-RC1, =1.0.0, =0.3.1, =0.3.1, =0.3.2 and more Source cves: CVE-2019-11272 Source advisory: OSV:GHSA-V33X-PRHC-GPH5...

Authentication Bypass Via Null Authentication

spring-security is vulnerable to authentication bypass. The cause of vulnerability is due to the use of PlaintextPasswordEncoder, validating the authentication of a user if a null encoded password is entered...

CVE-2019-11272

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user ...

CVE-2019-11272

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user ...

Design/Logic Flaw

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user ...

CVE-2019-11272

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user ...

CVE-2019-11272 PlaintextPasswordEncoder authenticates encoded passwords that are null

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user ...

CVE-2019-11272

CVE-2019-11272 affects Spring Security where PlaintextPasswordEncoder can allow login with a password of "null" if an encoded password is null. Affected: Spring Security 4.2.x up to 4.2.12 and older unsupported versions. Root cause: using PlaintextPasswordEncoder with null encoded passwords. Impa...

Pivotal Software Spring Security Authentication Vulnerability

Pivotal Software Spring Security is a suite of security frameworks from Pivotal Software, Inc. that provide illustrative security protection for Spring-based applications. A security vulnerability exists in Pivotal Software Spring Security versions 4.2.x through 4.2.12 and older versions that are...

Security Bulletin: Remote code execution vulnerability (CVE-2019-3778) affects IBM Spectrum Symphony 7.2.0.2 and 7.2.1

Summary Interim fixes are needed to upgrade the Spring Security OAuth package in IBM Spectrum Symphony 7.2.0.2 and 7.2.1 to resolve the remote code execution vulnerability CVE-2019-3778. Vulnerability Details CVE-ID: CVE-2019-3778 Description: Spring Security OAuth could allow a remote attacker t...

Spring Security OAuth - Open Redirector Vulnerability

Exploit for java platform in category web applications Exploit Title: Open Redirector in spring-security-oauth2 Exploit Author: Riemann Vendor Homepage: https://spring.io/projects/spring-security-oauth Software Link: https://spring.io Version: Spring Security OAuth versions 2.3 prior to 2.3.6...

Spring Security OAuth - Open Redirector

Spring Security OAuth - Open Redirector Exploit Title: Open Redirector in spring-security-oauth2 Date: 17 June 2019 Exploit Author: Riemann Vendor Homepage: https://spring.io/projects/spring-security-oauth Software Link: https://spring.io Version: Spring Security OAuth versions 2.3 prior to 2.3.6...

Spring Security OAuth - Open Redirector

Exploit Title: Open Redirector in spring-security-oauth2 Date: 17 June 2019 Exploit Author: Riemann Vendor Homepage: https://spring.io/projects/spring-security-oauth Software Link: https://spring.io Version: Spring Security OAuth versions 2.3 prior to 2.3.6...

Spring Security OAuth 2.3 Open Redirection

Exploit Title: Open Redirector in spring-security-oauth2 Date: 17 June 2019 Exploit Author: Riemann Vendor Homepage: https://spring.io/projects/spring-security-oauth Software Link: https://spring.io Version: Spring Security OAuth versions 2.3 prior to 2.3.6...

com.alexbt:springboot-autoconfigure-openid-oauth (=1.0.9), com.appdirect:service-integration-sdk (>=1.24 <=v11.129.7) +11 more potentially affected by CVE-2019-11269 via org.springframework.security.oauth:spring-security-oauth (>=2.0.10.RELEASE <=2.0.17.RELEASE)

org.springframework.security.oauth:spring-security-oauth MAVEN version =2.0.10.RELEASE, =1.24, =1.4.3, =2.7.4.7, =2.7.4.7, =2.7.4.7, =3.3.0.4, =3.3.0.4, =2.7.4.7, =4.4.0 Source cves: CVE-2019-11269 Source advisory: OSV:GHSA-MMF6-6597-3V6M...

GHSA-MMF6-6597-3V6M Open Redirect in Spring Security OAuth

Spring Security OAuth versions 2.3 prior to 2.3.6, 2.2 prior to 2.2.5, 2.1 prior to 2.1.5, and 2.0 prior to 2.0.18, as well as older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the...

uk.ac.ox.it.lti:lti-launch (>=1.5.0 <=1.6.0) potentially affected by CVE-2019-11269 via org.springframework.security.oauth:spring-security-oauth (=2.3.5.RELEASE)

org.springframework.security.oauth:spring-security-oauth MAVEN version =2.3.5.RELEASE is affected by a known vulnerability. The following packages have a transitive dependency on org.springframework.security.oauth:spring-security-oauth and may be impacted: - uk.ac.ox.it.lti:lti-launch =1.5.0,...