Vulnerability Description
In generator-jhipster-kotlin version 1.6.0 log entries are created for invalid password reset attempts. As the email is provided by a user and the api is public this can be used by an attacker to forge log entries. This is vulnerable to https://cwe.mitre.org/data/definitions/117.html This problem affects only application generated with jwt or session authentication. Applications using oauth are not vulnerable. This issue has been fixed in version 1.7.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jhipster | Generator-Jhipster-Kotlin | < 1.7.0 |
Related Weaknesses (CWE)
References
- https://github.com/jhipster/jhipster-kotlin/commit/426ccab85e7e0da562643200637b9PatchThird Party Advisory
- https://github.com/jhipster/jhipster-kotlin/security/advisories/GHSA-pfxf-wh96-fThird Party Advisory
- https://owasp.org/www-community/attacks/Log_InjectionTechnical Description
- https://www.baeldung.com/jvm-log-forgingTechnical Description
- https://github.com/jhipster/jhipster-kotlin/commit/426ccab85e7e0da562643200637b9PatchThird Party Advisory
- https://github.com/jhipster/jhipster-kotlin/security/advisories/GHSA-pfxf-wh96-fThird Party Advisory
- https://owasp.org/www-community/attacks/Log_InjectionTechnical Description
- https://www.baeldung.com/jvm-log-forgingTechnical Description
FAQ
What is CVE-2020-4072?
CVE-2020-4072 is a vulnerability with a CVSS score of 5.3 (MEDIUM). In generator-jhipster-kotlin version 1.6.0 log entries are created for invalid password reset attempts. As the email is provided by a user and the api is public this can be used by an attacker to forg...
How severe is CVE-2020-4072?
CVE-2020-4072 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-4072?
Check the references section above for vendor advisories and patch information. Affected products include: Jhipster Generator-Jhipster-Kotlin.