CVE-2019-16303

CRITICAL

JHipster <6.3.0 & JHipster Kotlin <=1.1.0 - Privilege Escalation

Title source: llm

Description

A class generated by the Generator in JHipster before 6.3.0 and JHipster Kotlin through 1.1.0 produces code that uses an insecure source of randomness (apache.commons.lang3 RandomStringUtils). This allows an attacker (if able to obtain their own password reset URL) to compute the value for all other password resets for other accounts, thus allowing privilege escalation or account takeover.

References (8)

[Third Party Advisory] https://github.com/jhipster/generator-jhipster/security/advisories/GHSA-mwp6-j9wf-968c

[Exploit, Issue Tracking, Third Party Advisory] https://github.com/jhipster/generator-jhipster/issues/10401

[Patch, Third Party Advisory] https://github.com/jhipster/generator-jhipster/commit/88448b85fd3e8e49df103f0061359037c2c68ea7

View Patch ZIP pw:eip

[Exploit, Issue Tracking, Third Party Advisory] https://github.com/jhipster/jhipster-kotlin/issues/183

[Release Notes, Vendor Advisory] https://www.jhipster.tech/2019/09/13/jhipster-release-6.3.0.html

[Mailing List] https://lists.apache.org/thread.html/r6d243e7e3f25daeb242dacf3def411fba32a9388d3ff84918cb28ddd%40%3Cissues.commons.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rc87fa35a48b5d70b06af6fb81785ed82e82686eb83307aae6d250dc9%40%3Cissues.commons.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rc3f00f5d3d2ec0e2381a3b9096d5f5b4d46ec1587ee7e251a3dbb897%40%3Cissues.commons.apache.org%3E

Scores

CVSS v3 9.8

EPSS 0.0190

EPSS Percentile 83.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-338

Status published

Products (3)

jhipster/jhipster < 6.3.0

jhipster/jhipster_kotlin < 1.1.0

npm/generator-jhipster-kotlin 0 - 1.2.0npm

Published Sep 14, 2019

Tracked Since Feb 18, 2026