Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of null.
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Spring_security | Vmware | 4.2.0 (including) | 4.2.12 (including) |
Red Hat Fuse 7.6.0 | RedHat | spring-security-core | * |
Libspring-security-2.0-java | Ubuntu | trusty | * |