WebSecurityConfig.java uses org.springframework.security.crypto.password.NoOpPasswordEncoder which is considered insecure and only exists for testing purposes where working with plaintext passwords may be useful.
Details
Should be hashing passwords and is not. Docs recommend BCrypt or DelegatingPasswordEncoder to allow password hash upgrades.
PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
Impact
An attacker could access all user data if passwords are leaked
Summary
WebSecurityConfig.java
usesorg.springframework.security.crypto.password.NoOpPasswordEncoder
which is considered insecure and only exists for testing purposes where working with plaintext passwords may be useful.Details
PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
Impact
An attacker could access all user data if passwords are leaked