Connect with sales  +1 877-586-1965

By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2019-11272

Authorization Bypass
Affects
Spring Security
<4.2.13
in
Spring
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs
View NES Solution

Overview and Vulnerability Info

Spring Security is widely used in Java applications to handle user login, role-based access, and other security-related tasks. By integrating into the Spring ecosystem, it makes it easier for developers to enforce best security practices, reduce vulnerabilities, and streamline user authentication across their apps.

A Authentication Bypass vulnerability (CVE-2019-11272) has been identified in spring-security-core from Spring Security, which allows attackers to authenticate with null if the user has a null encoded password.

Per Common Attack Pattern Enumeration and Classification CAPEC-115: Authentication Bypass is when an attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.

This issue affects versions 4.2.0 through 4.2.12 of spring-security-core from Spring Security.

Details

Module Info

Vulnerability Info

CVE-2019-11272 is a high-severity vulnerability found in Spring Security versions 4.2.0 to 4.2.12, and older unsupported releases. The issue appears when the PlaintextPasswordEncoder is in use and a user’s encoded password is encoded as null. In such cases, an attacker can gain unauthorized access by literally using “null” as the password. This oversight allows attackers to bypass normal authentication checks and potentially access sensitive data or functions within the application.

Credits

  • Tim Büthe and Daniel Neagaru from mytaxi.

Mitigation

Spring Security 4 is no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to supported versions of Spring Security.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Pink arrow
Pink arrow
CVE-2014-0097
CVE-2019-3795
CVE-2019-11272
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20883
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2019-11272
PROJECT Affected
Spring Security
Versions Affected
<4.2.13
Published date
June 19, 2019
≈ Fix date
June 19, 2019
Fixed in
NES for Spring
Severity
Low
Category
Authorization Bypass