CVE-2019-3795 Spring Security insecure randomness vulnerability

Issue date: 28-08-2019
Affects versions: 12.6

Issue ID: SECURITY-116

Affected Product Version(s)
12.6.5 (and previous patch releases)

Severity

High

Description

CVE-2019-11272

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".

This vulnerability is classified with severity high.

The affected third-party library has been updated to the latest compatible version available. For 12.6.6, this is Spring Security 4.2.13.

Instructions

Every customer is strongly advised to upgrade as soon as possible to the latest maintenance release as indicated above, or higher. This can be done by simply incrementing the version number of the parent POM for the implementation project.

Get Started

Build a Website

Relevance Trail

Feed an AngularJS App

Understand Hippo

Implement Hippo

Extend Hippo

Integrate Hippo

Run Hippo

Upgrade Hippo

Develop Hippo

Use Hippo

Report an Issue

Bloomreach Documentation version

CVE-2019-3795 Spring Security insecure randomness vulnerability