CVE-2020-4072 – generator-jhipster-kotlin

Package

Manager: npm
Name: generator-jhipster-kotlin
Vulnerable Version: =1.6.0 || >=1.6.0 <1.7.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00304 pctl0.53166

Details

Log Forging in generator-jhipster-kotlin ### Impact We log the mail for invalid password reset attempts. As the email is provided by a user and the api is public this can be used by an attacker to forge log entries. This is vulnerable to https://cwe.mitre.org/data/definitions/117.html This problem affects only application generated with jwt or session authentication. Applications using oauth are not vulnerable. ### Patches version 1.7.0. ### Workarounds In `AccountResource.kt` you should change the line ```kotlin log.warn("Password reset requested for non existing mail '$mail'"); ``` to ```kotlin log.warn("Password reset requested for non existing mail"); ``` ### References * https://cwe.mitre.org/data/definitions/117.html * https://owasp.org/www-community/attacks/Log_Injection * https://www.baeldung.com/jvm-log-forging ### For more information If you have any questions or comments about this advisory: * Open an issue in [jhipster kotlin](https://github.com/jhipster/jhipster-kotlin)

Metadata

Created: 2020-06-25T20:02:51Z
Modified: 2021-01-07T23:50:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-pfxf-wh96-fvjc/GHSA-pfxf-wh96-fvjc.json
CWE IDs: ["CWE-117"]
Alternative ID: GHSA-pfxf-wh96-fvjc
Finding: F091
Auto approve: 1