QwikSec

Security Database

CVE

CWE

Training

CVE-2019-16303

Published: Sep 13, 2019

Modified: Aug 5, 2024

PUBLISHED

Description

A class generated by the Generator in JHipster before 6.3.0 and JHipster Kotlin through 1.1.0 produces code that uses an insecure source of randomness (apache.commons.lang3 RandomStringUtils). This allows an attacker (if able to obtain their own password reset URL) to compute the value for all other password resets for other accounts, thus allowing privilege escalation or account takeover.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/jhipster/generator-jhipster/security/advisories/GHSA-mwp6-j9wf-968c

x_refsource_MISC

https://github.com/jhipster/generator-jhipster/issues/10401

x_refsource_MISC

https://github.com/jhipster/generator-jhipster/commit/88448b85fd3e8e49df103f0061359037c2c68ea7

x_refsource_MISC

https://github.com/jhipster/jhipster-kotlin/issues/183

x_refsource_MISC

https://www.jhipster.tech/2019/09/13/jhipster-release-6.3.0.html

x_refsource_MISC

[commons-issues] 20200918 [jira] [Created] (LANG-1607) To aid with CVE-2019-16303, consider upgrading RandomStringUtils default RNG

mailing-list

x_refsource_MLIST

[commons-issues] 20200919 [jira] [Commented] (LANG-1607) To aid with CVE-2019-16303, consider upgrading RandomStringUtils default RNG

mailing-list

x_refsource_MLIST

[commons-issues] 20200921 [jira] [Commented] (LANG-1607) To aid with CVE-2019-16303, consider upgrading RandomStringUtils default RNG

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.