CVE-2015-20110

Published: Oct 31, 2023

Modified: Sep 6, 2024

PUBLISHED

Description

JHipster generator-jhipster before 2.23.0 allows a timing attack against validateToken due to a string comparison that stops at the first character that is different. Attackers can guess tokens by brute forcing one character at a time and observing the timing. This of course drastically reduces the search space to a linear amount of guesses based on the token length times the possible characters.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/jhipster/generator-jhipster/issues/2095

https://github.com/jhipster/generator-jhipster/commit/7c49ab3d45dc4921b831a2ca55fb1e2a2db1ee25

https://github.com/jhipster/generator-jhipster/commit/79fe5626cb1bb80f9ac86cf46980748e65d2bdbc

https://github.com/jhipster/generator-jhipster/compare/v2.22.0...v2.23.0

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2015-20110

Description

Affected Products

References