Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rundeck "CVE-2019-11272" Spring Security Update Plz~ #5002

Closed
happylie opened this issue Jun 27, 2019 · 0 comments

Comments

@happylie
Copy link

commented Jun 27, 2019

Hi~
Rundeck-3.0.23 is still using spring-security-core-4.2.7.7.RELEASE.jar

CVE-2019-11272
Description
- Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. 
If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of “null”.

URL : 
- https://pivotal.io/security/cve-2019-11272
- https://spring.io/blog/2019/06/19/cve-2019-11272-spring-security-4-2-13-released

@gschueler gschueler added the security label Jun 27, 2019

@gschueler gschueler added this to the 3.0.24 milestone Jul 1, 2019

gschueler added a commit that referenced this issue Jul 17, 2019

Merge pull request #5047 from ahormazabal/vbumps/update-201907
Issues #5002, #4979, #4463, #4464, #4465, #4466 - Update several library dependencies to address reported CVEs.

@gschueler gschueler closed this Jul 18, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.