CVE-2019-11272 @ Maven-org.springframework.security:spring-security-core-3.2.4.RELEASE

[diogopcx]

Vulnerable Package issue exists @ Maven-org.springframework.security:spring-security-core-3.2.4.RELEASE in branch main

Spring Security, versions through 4.2.12 support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".

Namespace: diogopcx
Repository: CheckmarxDemo
Repository Url: https://github.com/diogopcx/CheckmarxDemo
CxAST-Project: diogopcx/CheckmarxDemo
CxAST platform scan: 358cac2e-8dd5-43e9-8390-980528e9e4ce
Branch: main
Application: CheckmarxDemo
Severity: HIGH
State: TO_VERIFY
Status: RECURRENT
CWE: CWE-255

---

Additional Info
Attack vector: NETWORK
Attack complexity: LOW
Confidentiality impact: LOW
Availability impact: LOW
Remediation Upgrade Recommendation: 4.0.0.M2

---

References
Advisory
Commit
Issue