Skip to content

Critical severity vulnerability that affects generator-jhipster

Critical severity GitHub Reviewed Published Sep 13, 2019 in jhipster/generator-jhipster • Updated Jan 9, 2023
Withdrawn This advisory was withdrawn on Jun 26, 2020

Package

npm generator-jhipster (npm)

Affected versions

< 6.3.0

Patched versions

6.3.0

Description

Account takeover and privilege escalation is possible in applications generated by generator-jhipster before 6.3.0. This is due to a vulnerability in the generated java classes: CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Generated applications must be manually patched, following instructions in the release notes: https://www.jhipster.tech/2019/09/13/jhipster-release-6.3.0.html

References

@jdubois jdubois published to jhipster/generator-jhipster Sep 13, 2019
Published to the GitHub Advisory Database Sep 13, 2019
Reviewed Jun 16, 2020
Withdrawn Jun 26, 2020
Last updated Jan 9, 2023

Severity

Critical
9.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-mwp6-j9wf-968c

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.