CRITICAL🇬🇧 English

CVE-2019-16303

CVSS 9.8v3.1pub. 2019-09-14upd. 2024-11-21

A class generated by the Generator in JHipster before 6.3.0 and JHipster Kotlin through 1.1.0 produces code that uses an insecure source of randomness (apache.commons.lang3 RandomStringUtils). This allows an attacker (if able to obtain their own password reset URL) to compute the value for all other password resets for other accounts, thus allowing privilege escalation or account takeover.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Jhipster

    APP
    Jhipster
    < 6.3.0
  • Jhipster Kotlin

    APP
    Jhipster
    ≤ 1.1.0
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
LPE
CWE
Referencje

Powiązane podatności

CVE-2015-20110HIGH7.5ten sam produkt

JHipster generator-jhipster before 2.23.0 allows a timing attack against validateToken due to a string compari...

CVE-2022-24815HIGH8.1ten sam vendor

JHipster is a development platform to quickly generate, develop, & deploy modern web applications & microservi...

CVE-2020-4072MEDIUM5.3ten sam vendor

In generator-jhipster-kotlin version 1.6.0 log entries are created for invalid password reset attempts. As the...