A class generated by the Generator in JHipster before 6.3.0 and JHipster Kotlin through 1.1.0 produces code that uses an insecure source of randomness (apache.commons.lang3 RandomStringUtils). This allows an attacker (if able to obtain their own password reset URL) to compute the value for all other password resets for other accounts, thus allowing privilege escalation or account takeover.
References
Link | Resource |
---|---|
https://github.com/jhipster/generator-jhipster/commit/88448b85fd3e8e49df103f0061359037c2c68ea7 | Patch Third Party Advisory |
https://github.com/jhipster/generator-jhipster/issues/10401 | Exploit Issue Tracking Third Party Advisory |
https://github.com/jhipster/generator-jhipster/security/advisories/GHSA-mwp6-j9wf-968c | Third Party Advisory |
https://github.com/jhipster/jhipster-kotlin/issues/183 | Exploit Issue Tracking Third Party Advisory |
https://lists.apache.org/thread.html/r6d243e7e3f25daeb242dacf3def411fba32a9388d3ff84918cb28ddd%40%3Cissues.commons.apache.org%3E | |
https://lists.apache.org/thread.html/rc3f00f5d3d2ec0e2381a3b9096d5f5b4d46ec1587ee7e251a3dbb897%40%3Cissues.commons.apache.org%3E | |
https://lists.apache.org/thread.html/rc87fa35a48b5d70b06af6fb81785ed82e82686eb83307aae6d250dc9%40%3Cissues.commons.apache.org%3E | |
https://www.jhipster.tech/2019/09/13/jhipster-release-6.3.0.html | Release Notes Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
07 Nov 2023, 03:05
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Information
Published : 2019-09-14 00:15
Updated : 2024-02-28 17:08
NVD link : CVE-2019-16303
Mitre link : CVE-2019-16303
CVE.ORG link : CVE-2019-16303
JSON object : View
Products Affected
jhipster
- jhipster
- jhipster_kotlin
CWE
CWE-338
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)