14 matches found
Incorrect Authorization
Overview generator-jhipster is a development platform to generate, develop and deploy Spring Boot + Angular / React / Vue Web applications and Spring microservices. Affected versions of this package are vulnerable to Incorrect Authorization via the authorities parameter in the response from the...
Timing Attack
generator-jhipster is vulnerable to a Timing Attack. The vulnerability exists because the TokenProvider.java uses String.equalsstr to compare the given token-signature. This comparison method does not effectively validate the token because it stops as soon as it encounters the first character tha...
GHSA-4GPM-R23H-GPRW generator-jhipster allows a timing attack against validateToken due to a string comparison that stops at the first character
JHipster generator-jhipster before 2.23.0 allows a timing attack against validateToken due to a string comparison that stops at the first character that is different. Attackers can guess tokens by brute forcing one character at a time and observing the timing. This of course drastically reduces t...
generator-jhipster allows a timing attack against validateToken due to a string comparison that stops at the first character
JHipster generator-jhipster before 2.23.0 allows a timing attack against validateToken due to a string comparison that stops at the first character that is different. Attackers can guess tokens by brute forcing one character at a time and observing the timing. This of course drastically reduces t...
CVE-2015-20110
JHipster generator-jhipster before 2.23.0 allows a timing attack against validateToken due to a string comparison that stops at the first character that is different. Attackers can guess tokens by brute forcing one character at a time and observing the timing. This of course drastically reduces t...
CVE-2015-20110
Summary : CVE-2015-20110 affects the JHipster generator-jhipster before 2.23.0. The root cause is a token validation routine that compares strings using a short-circuiting comparison, leaking timing information. This allows attackers to brute-force tokens one character at a time by observing resp...
CVE-2015-20110
JHipster generator-jhipster before 2.23.0 allows a timing attack against validateToken due to a string comparison that stops at the first character that is different. Attackers can guess tokens by brute forcing one character at a time and observing the timing. This of course drastically reduces t...
CVE-2015-20110
JHipster generator-jhipster before 2.23.0 allows a timing attack against validateToken due to a string comparison that stops at the first character that is different. Attackers can guess tokens by brute forcing one character at a time and observing the timing. This of course drastically reduces t...
PT-2023-10311 · Jhipster · Generator-Jhipster
Name of the Vulnerable Software and Affected Versions: JHipster generator-jhipster versions prior to 2.23.0 Description: The issue allows for a timing attack against the validateToken function due to a string comparison that stops at the first different character. This enables attackers to guess...
Cryptographically Weak PRNG
Overview Versions of generator-jhipster use a Cryptographically Weak PRNG that may lead to account takeover. The package uses a cryptographically insecure method to generate password reset links, which allows an attacker to guess password reset links and takeover accounts. Recommendation Update t...
High severity vulnerability that affects generator-jhipster
Generated code uses repository configuration that downloads over HTTP instead of HTTPS Impact Gradle users were using the http://repo.spring.io/plugins-release repositories in plain HTTP, and not HTTPS, so a man-in-the-middle attack was possible at build time. Patches Maven users should at least...
GHSA-MC84-XR9P-938R High severity vulnerability that affects generator-jhipster
Generated code uses repository configuration that downloads over HTTP instead of HTTPS Impact Gradle users were using the http://repo.spring.io/plugins-release repositories in plain HTTP, and not HTTPS, so a man-in-the-middle attack was possible at build time. Patches Maven users should at least...
Insecure Randomness
generator-jhipster is vulnerable to insecure randomness. The vulnerability exists as it was using an insecure random util, RandomStringUtils, from Apache Commons Lang3...
Unauthorized Access To Protected Routes
generator-jhipster is vulnerable to unauthorized access to protected routes. The vulnerability exists when generator-jhipster is used with angular2. When the data.authorities property is used to protect the angular2's route, an unauthorized user can successfully view the page...