Description
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
Remediation
References
https://lists.debian.org/debian-lts-announce/2019/07/msg00008.html
https://pivotal.io/security/cve-2019-11272
Related Vulnerabilities
CVE-2020-6858 Vulnerability in maven package com.hotels.styx:styx-server
CVE-2019-5416 Vulnerability in npm package localhost-now
CVE-2021-40663 Vulnerability in npm package deep.assign
CVE-2020-15250 Vulnerability in maven package junit:junit
CVE-2020-7616 Vulnerability in npm package express-mock-middleware