Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

CVE-2019-11272 @ Maven-org.springframework.security:spring-security-core-3.2.4.RELEASE #36

Open
jbrotsos opened this issue Jun 16, 2022 · 0 comments
Open

CVE-2019-11272 @ Maven-org.springframework.security:spring-security-core-3.2.4.RELEASE #36

jbrotsos opened this issue Jun 16, 2022 · 0 comments
Labels
branch:main Checkmarx CxSCA

Comments

@jbrotsos
Copy link
Contributor

jbrotsos commented Jun 16, 2022
edited
Loading

Vulnerable Package issue exists @ Maven-org.springframework.security:spring-security-core-3.2.4.RELEASE in branch main

Spring Security, versions through 4.2.12 support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".

Namespace: James-AST
Repository: msft
Repository Url: https://github.com/James-AST/msft
CxAST-Project: James-AST/msft
CxAST platform scan: d217bf9e-499c-4ae8-a115-08b6cd62b182
Branch: main
Application: msft
Severity: HIGH
State: NOT_IGNORED
Status: RECURRENT
CWE: CWE-255

Addition Info
Attack vector: NETWORK
Attack complexity: LOW
Confidentiality impact: LOW
Availability impact: LOW
Remediation Upgrade Recommendation: 4.2.16.RELEASE

References
Advisory
Commit
Issue
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
branch:main Checkmarx CxSCA
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jbrotsos