CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
31.3%
generator-jhipster is vulnerable to a Timing Attack. The vulnerability exists because the _TokenProvider.java
uses String.equals(str)
to compare the given token-signature. This comparison method does not effectively validate the token because it stops as soon as it encounters the first character that differs. This behavior opens up a vulnerability that allows an attacker to guess tokens through brute-force attacks, attempting one character at a time and using timing observations to discern the correct character.
github.com/advisories/GHSA-4gpm-r23h-gprw
github.com/jhipster/generator-jhipster/commit/79fe5626cb1bb80f9ac86cf46980748e65d2bdbc
github.com/jhipster/generator-jhipster/commit/7c49ab3d45dc4921b831a2ca55fb1e2a2db1ee25
github.com/jhipster/generator-jhipster/compare/v2.22.0...v2.23.0
github.com/jhipster/generator-jhipster/issues/2095