CVE-2020-4072
MEDIUM5.3EPSS 0.30%Log Forging in generator-jhipster-kotlin
Description
### Impact We log the mail for invalid password reset attempts. As the email is provided by a user and the api is public this can be used by an attacker to forge log entries. This is vulnerable to https://cwe.mitre.org/data/definitions/117.html This problem affects only application generated with jwt or session authentication. Applications using oauth are not vulnerable. ### Patches version 1.7.0. ### Workarounds In `AccountResource.kt` you should change the line ```kotlin log.warn("Password reset requested for non existing mail '$mail'"); ``` to ```kotlin log.warn("Password reset requested for non existing mail"); ``` ### References * https://cwe.mitre.org/data/definitions/117.html * https://owasp.org/www-community/attacks/Log_Injection * https://www.baeldung.com/jvm-log-forging ### For more information If you have any questions or comments about this advisory: * Open an issue in [jhipster kotlin](https://github.com/jhipster/jhipster-kotlin)
Affected packages (1)
- npm/generator-jhipster-kotlin>= 1.6.0, < 1.7.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-4072
- WEBhttps://github.com/jhipster/jhipster-kotlin/commit/426ccab85e7e0da562643200637b99b6a2a99449
- WEBhttps://github.com/jhipster/jhipster-kotlin/security/advisories/GHSA-pfxf-wh96-fvjc
- WEBhttps://owasp.org/www-community/attacks/Log_Injection
- WEBhttps://www.baeldung.com/jvm-log-forging