JHipster generator-jhipster before 2.23.0 allows a timing attack against validateToken due to a string comparison that stops at the first character that is different. Attackers can guess tokens by brute forcing one character at a time and observing the timing. This of course drastically reduces the search space to a linear amount of guesses based on the token length times the possible characters.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NJhipster
APPJhipster< 2.23.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References
Related vulnerabilities
CVE-2019-16303CRITICAL9.8ten sam produkt
A class generated by the Generator in JHipster before 6.3.0 and JHipster Kotlin through 1.1.0 produces code th...
CVE-2022-24815HIGH8.1ten sam vendor
JHipster is a development platform to quickly generate, develop, & deploy modern web applications & microservi...
CVE-2020-4072MEDIUM5.3ten sam vendor
In generator-jhipster-kotlin version 1.6.0 log entries are created for invalid password reset attempts. As the...