Lucene search

MitreCVE-2015-20110

HistoryOct 31, 2023 - 3:15 a.m.

CVE-2015-20110

2023-10-3103:15:07

CWE-307

mitre

web.nvd.nist.gov

jhipster

generator-jhipster

timing attack

vulnerability

security

nvd

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

31.3%

JSON

JHipster generator-jhipster before 2.23.0 allows a timing attack against validateToken due to a string comparison that stops at the first character that is different. Attackers can guess tokens by brute forcing one character at a time and observing the timing. This of course drastically reduces the search space to a linear amount of guesses based on the token length times the possible characters.

Affected configurations

Nvd

Node

jhipsterjhipsterRange<2.23.0

VendorProductVersionCPE
jhipsterjhipster*cpe:2.3:a:jhipster:jhipster:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
jhipster	jhipster	*	cpe:2.3:a:jhipster:jhipster::::::::

References

github.com/jhipster/generator-jhipster/commit/79fe5626cb1bb80f9ac86cf46980748e65d2bdbc

github.com/jhipster/generator-jhipster/commit/7c49ab3d45dc4921b831a2ca55fb1e2a2db1ee25

github.com/jhipster/generator-jhipster/compare/v2.22.0...v2.23.0

github.com/jhipster/generator-jhipster/issues/2095

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

31.3%

JSON

Related for CVE-2015-20110