Improper Authentication
Spring Security support plain text passwords using PlaintextPasswordEncoder. a malicious user (or attacker) can authenticate using a password of null.
Advisories for Maven/Org.springframework.security/Spring-Security-Cas package
2019
Insufficient Entropy in PRNG
Spring Security containa an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.
2017
Access control bypass via untrusted infomation usage in proxy ticket authentication
When using the CAS Proxy ticket authentication a malicious CAS Service could trick another CAS Service into authenticating a proxy ticket that was not associated. This is due to the fact that the proxy ticket authentication uses the information from the HttpServletRequest which is populated based upon untrusted information within the HTTP request. This means if there are access control restrictions on which CAS services can authenticate to one another, …