CVE-2019-16303

Description

Account takeover and privilege escalation is possible in applications generated by generator-jhipster before 6.3.0. This is due to a vulnerability in the generated java classes: CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) Generated applications must be manually patched, following instructions in the release notes: https://www.jhipster.tech/2019/09/13/jhipster-release-6.3.0.html

Affected packages (2)

• npm/generator-jhipsterfrom 0, < 6.3.0
• npm/generator-jhipster-kotlinfrom 0, < 1.2.0

CVSS scores

References (17)

• ADVISORYhttps://github.com/advisories/GHSA-j3rh-8vwq-wh84
• ADVISORYhttps://github.com/advisories/GHSA-mwp6-j9wf-968c
• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-16303
• PATCHhttps://github.com/jhipster/generator-jhipster
• WEBhttps://github.com/jhipster/generator-jhipster/commit/88448b85fd3e8e49df103f0061359037c2c68ea7
• WEBhttps://github.com/jhipster/generator-jhipster/issues/10401
• WEBhttps://github.com/jhipster/generator-jhipster/security/advisories/GHSA-mwp6-j9wf-968c
• WEBhttps://github.com/jhipster/jhipster-kotlin/commit/deec3587ef7721cf5de5b960d43e9b68beff6193
• WEBhttps://github.com/jhipster/jhipster-kotlin/issues/183
• WEBhttps://github.com/jhipster/jhipster-kotlin/security/advisories/GHSA-j3rh-8vwq-wh84
• WEBhttps://lists.apache.org/thread.html/r6d243e7e3f25daeb242dacf3def411fba32a9388d3ff84918cb28ddd@%3Cissues.commons.apache.org%3E
• WEBhttps://lists.apache.org/thread.html/rc3f00f5d3d2ec0e2381a3b9096d5f5b4d46ec1587ee7e251a3dbb897@%3Cissues.commons.apache.org%3E
• WEBhttps://lists.apache.org/thread.html/rc87fa35a48b5d70b06af6fb81785ed82e82686eb83307aae6d250dc9@%3Cissues.commons.apache.org%3E
• WEBhttps://snyk.io/vuln/SNYK-JS-GENERATORJHIPSTER-466980
• WEBhttps://www.jhipster.tech/2019/09/13/jhipster-release-6.3.0.html
• WEBhttps://www.npmjs.com/advisories/1187
• WEBhttps://www.npmjs.com/advisories/1188