CVE-2019-16303

 

Published at: - 14-09-2019 02:15

Last modified: - 20-01-2023 05:31

Total changes: - 2

Description

A class generated by the Generator in JHipster before 6.3.0 and JHipster Kotlin through 1.1.0 produces code that uses an insecure source of randomness (apache.commons.lang3 RandomStringUtils). This allows an attacker (if able to obtain their own password reset URL) to compute the value for all other password resets for other accounts, thus allowing privilege escalation or account takeover.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

 

Verification logic

 

Reference

• https://github.com/jhipster/jhipster-kotlin/issues/183
• https://github.com/jhipster/generator-jhipster/security/advisories/GHSA-mwp6-j9wf-968c
• https://github.com/jhipster/generator-jhipster/commit/88448b85fd3e8e49df103f0061359037c2c68ea7
• https://www.jhipster.tech/2019/09/13/jhipster-release-6.3.0.html
• https://github.com/jhipster/generator-jhipster/issues/10401
• [commons-issues] 20200918 [jira] [Created] (LANG-1607) To aid with CVE-2019-16303, consider upgrading RandomStringUtils default RNG-Mailing List, Third Party Advisory
• [commons-issues] 20200919 [jira] [Commented] (LANG-1607) To aid with CVE-2019-16303, consider upgrading RandomStringUtils default RNG-Mailing List, Third Party Advisory
• [commons-issues] 20200921 [jira] [Commented] (LANG-1607) To aid with CVE-2019-16303, consider upgrading RandomStringUtils default RNG-Mailing List, Third Party Advisory

 

Keywords

NVD

 

CVE-2019-16303

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures