Lucene search
GoogleOSV:GHSA-PFXF-WH96-FVJCHistoryJun 25, 2020 - 8:02 p.m.
Log Forging in generator-jhipster-kotlin
2020-06-2520:02:51
Google
osv.dev
8
0.002 Low
EPSS
Percentile
60.9%
Impact
We log the mail for invalid password reset attempts.
As the email is provided by a user and the api is public this can be used by an attacker to forge log entries.
This is vulnerable to https://cwe.mitre.org/data/definitions/117.html
This problem affects only application generated with jwt or session authentication. Applications using oauth are not vulnerable.
Patches
version 1.7.0.
Workarounds
In AccountResource.kt you should change the line
log.warn("Password reset requested for non existing mail '$mail'");
to
log.warn("Password reset requested for non existing mail");
References
- https://cwe.mitre.org/data/definitions/117.html
- https://owasp.org/www-community/attacks/Log_Injection
- https://www.baeldung.com/jvm-log-forging
For more information
If you have any questions or comments about this advisory:
- Open an issue in jhipster kotlin
| CPE | Name | Operator | Version |
|---|---|---|---|
| generator-jhipster-kotlin | eq | 1.6.0 |
Related
cvelist
cvelist
CVE-2020-4072 Log Forging in generator-jhipster-kotlin
2020-06-25 20:05:15
github
github
Log Forging in generator-jhipster-kotlin
2020-06-25 20:02:51
cve
cve
CVE-2020-4072
2020-06-25 20:15:11
veracode
veracode
Log Injection
2020-06-26 06:46:13
prion
prion
Authentication flaw
2020-06-25 20:15:00
nvd
nvd
CVE-2020-4072
2020-06-25 20:15:11
osv
osv
CVE-2020-4072
2020-06-25 20:15:11