CVE-2019-11272
PlaintextPasswordEncoder vulnerability in spring-security-core (Maven)
What is CVE-2019-11272 About?
Spring Security versions up to 4.2.12 that use `PlaintextPasswordEncoder` are vulnerable. If a user has a null-encoded password, a malicious user can authenticate using '?null?' as the password. This allows for unauthorized access and is relatively easy to exploit.
Affected Software
- org.springframework.security:spring-security-core
- <4.2.13
- org.springframework.security:spring-security-cas
- <4.2.13.RELEASE
Technical Details
The vulnerability exists in Spring Security versions 4.2.x up to 4.2.12 and older unsupported versions when PlaintextPasswordEncoder is utilized for password encoding. PlaintextPasswordEncoder is designed for plaintext passwords, meaning it performs no actual hashing or encryption. The flaw specifically arises when a user's password is 'null encoded', which can happen under certain conditions like misconfigurations or specific database states. In such a scenario, the PlaintextPasswordEncoder processes the 'null encoded' password such that the string '?null?' is validated as a correct password. This bypass allows any attacker to authenticate as that user by simply providing '?null?' as their password, thereby gaining unauthorized access to the application.
What is the Impact of CVE-2019-11272?
Successful exploitation may allow attackers to bypass authentication and gain unauthorized access to user accounts, leading to sensitive data disclosure, modification, or full account compromise.
What is the Exploitability of CVE-2019-11272?
Exploitation is relatively straightforward but requires knowledge of the target application's use of PlaintextPasswordEncoder and the existence of a user with a null-encoded password. No complex technical prerequisites are generally needed beyond understanding how to interact with the application's login mechanism. Authentication for the legitimate user account is effectively bypassed, so the attacker does not need prior authentication. No specific privileges are necessary, as the attack itself grants initial access. This is a remote vulnerability, as an attacker can attempt to log in from anywhere. The primary condition is the use of the deprecated PlaintextPasswordEncoder and a user with a specific password state; these factors significantly increase the likelihood of exploitation. If an application uses this encoder, identifying vulnerable accounts becomes the main challenge.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-11272?
Available Upgrade Options
- org.springframework.security:spring-security-core
- <4.2.13 → Upgrade to 4.2.13
- org.springframework.security:spring-security-cas
- <4.2.13.RELEASE → Upgrade to 4.2.13.RELEASE
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://pivotal.io/security/cve-2019-11272
- https://lists.debian.org/debian-lts-announce/2019/07/msg00008.html
- https://osv.dev/vulnerability/GHSA-v33x-prhc-gph5
- https://nvd.nist.gov/vuln/detail/CVE-2019-11272
- https://pivotal.io/security/cve-2019-11272
- https://lists.debian.org/debian-lts-announce/2019/07/msg00008.html
What are Similar Vulnerabilities to CVE-2019-11272?
Similar Vulnerabilities: CVE-2017-4985 , CVE-2018-1258 , CVE-2019-3795 , CVE-2020-5407 , CVE-2020-5412
