logo

Database

Lack of protection against brute force attacks In generator-jhipster

Description

generator-jhipster allows a timing attack against validateToken due to a string comparison that stops at the first character JHipster generator-jhipster before 2.23.0 allows a timing attack against validateToken due to a string comparison that stops at the first character that is different. Attackers can guess tokens by brute forcing one character at a time and observing the timing. This of course drastically reduces the search space to a linear amount of guesses based on the token length times the possible characters.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2015-201102. NVD-2015-201103. OSV-2015-201104. GCVE-2015-20110

References

1. https://github.com/jhipster/generator-jhipster/issues/20952. https://github.com/jhipster/generator-jhipster/commit/79fe5626cb1bb80f9ac86cf46980748e65d2bdbc3. https://github.com/jhipster/generator-jhipster/commit/7c49ab3d45dc4921b831a2ca55fb1e2a2db1ee254. https://github.com/jhipster/generator-jhipster/compare/v2.22.0...v2.23.0

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-TVAYD – Vulnerability | Fluid Attacks Database