Lucene search

[email protected]CVE-2019-16303

HistorySep 14, 2019 - 12:15 a.m.

CVE-2019-16303

2019-09-1400:15:10

CWE-338

[email protected]

web.nvd.nist.gov

228

cve-2019-16303

jhipster

jhipster kotlin

security vulnerability

privilege escalation

account takeover

nvd

apache.commons.lang3

randomstringutils

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.6 High

AI Score

Confidence

High

0.016 Low

EPSS

Percentile

87.6%

JSON

A class generated by the Generator in JHipster before 6.3.0 and JHipster Kotlin through 1.1.0 produces code that uses an insecure source of randomness (apache.commons.lang3 RandomStringUtils). This allows an attacker (if able to obtain their own password reset URL) to compute the value for all other password resets for other accounts, thus allowing privilege escalation or account takeover.

Affected configurations

NVD

Node

jhipsterjhipsterRange<6.3.0

jhipsterjhipster_kotlinRange≤1.1.0

CPENameOperatorVersion
jhipster:jhipsterjhipsterlt6.3.0
jhipster:jhipster_kotlinjhipster jhipster kotlinle1.1.0

CPE	Name	Operator	Version
jhipster:jhipster	jhipster	lt	6.3.0
jhipster:jhipster_kotlin	jhipster jhipster kotlin	le	1.1.0

References

github.com/jhipster/generator-jhipster/commit/88448b85fd3e8e49df103f0061359037c2c68ea7

github.com/jhipster/generator-jhipster/issues/10401

github.com/jhipster/generator-jhipster/security/advisories/GHSA-mwp6-j9wf-968c

github.com/jhipster/jhipster-kotlin/issues/183

lists.apache.org/thread.html/r6d243e7e3f25daeb242dacf3def411fba32a9388d3ff84918cb28ddd%40%3Cissues.commons.apache.org%3E

lists.apache.org/thread.html/rc3f00f5d3d2ec0e2381a3b9096d5f5b4d46ec1587ee7e251a3dbb897%40%3Cissues.commons.apache.org%3E

lists.apache.org/thread.html/rc87fa35a48b5d70b06af6fb81785ed82e82686eb83307aae6d250dc9%40%3Cissues.commons.apache.org%3E

www.jhipster.tech/2019/09/13/jhipster-release-6.3.0.html

Social References

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.6 High

AI Score

Confidence

High

0.016 Low

EPSS

Percentile

87.6%

JSON

Related for CVE-2019-16303

hackerone2 cvelist1 nvd1 veracode1 nodejs2 prion1 osv2 github1