Description
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
Remediation
References
https://pivotal.io/security/cve-2019-11272
https://lists.debian.org/debian-lts-announce/2019/07/msg00008.html
Related Vulnerabilities
CVE-2020-2126 Vulnerability in maven package com.dubture.jenkins:digitalocean-plugin
CVE-2021-42767 Vulnerability in maven package org.neo4j.procedure:apoc
CVE-2023-31101 Vulnerability in maven package org.apache.inlong:manager-service
CVE-2020-2166 Vulnerability in maven package de.taimos:pipeline-aws