CVE-2019-11272: Spring Security 4.2.13 Released

Releases | Josh Cummings | June 19, 2019 | ...

We have released Spring Security 4.2.13 to address CVE-2019-11272: PlaintextPasswordEncoder authenticates encoded passwords that are null.

Users are encouraged to update immediately.

With Spring Boot, you can override the Spring Security version in Maven like so:


Or in Gradle like so:

ext['spring-security.version'] = '4.2.13.RELEASE'

Note that users of Spring Security 5+ are not affected by this vulnerability.

Get the Spring newsletter

Thank you!

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all