A class generated by the Generator in JHipster before 6.3.0 and JHipster Kotlin through 1.1.0 produces code that uses an insecure source of randomness (apache.commons.lang3 RandomStringUtils). This allows an attacker (if able to obtain their own password reset URL) to compute the value for all other password resets for other accounts, thus allowing privilege escalation or account takeover.
oryginał ENCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HJhipster
APPJhipster< 6.3.0Jhipster Kotlin
APPJhipster≤ 1.1.0
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
LPE
CWE
Referencje
Powiązane podatności
CVE-2015-20110HIGH7.5ten sam produkt
JHipster generator-jhipster before 2.23.0 allows a timing attack against validateToken due to a string compari...
CVE-2022-24815HIGH8.1ten sam vendor
JHipster is a development platform to quickly generate, develop, & deploy modern web applications & microservi...
CVE-2020-4072MEDIUM5.3ten sam vendor
In generator-jhipster-kotlin version 1.6.0 log entries are created for invalid password reset attempts. As the...