7.5

CVE-2015-20110

EPSS 0.21%
Veröffentlicht 31.10.2023 03:15:07
Zuletzt bearbeitet 21.11.2024 02:26:34
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

JHipster generator-jhipster before 2.23.0 allows a timing attack against validateToken due to a string comparison that stops at the first character that is different. Attackers can guess tokens by brute forcing one character at a time and observing the timing. This of course drastically reduces the search space to a linear amount of guesses based on the token length times the possible characters.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Jhipster ≫ Jhipster Version < 2.23.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.21%	0.41

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-307 Improper Restriction of Excessive Authentication Attempts

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

https://github.com/jhipster/generator-jhipster/commit/79fe5626cb1bb80f9ac86cf46980748e65d2bdbc

Patch

https://github.com/jhipster/generator-jhipster/commit/7c49ab3d45dc4921b831a2ca55fb1e2a2db1ee25

Patch

https://github.com/jhipster/generator-jhipster/compare/v2.22.0...v2.23.0

Patch

Release Notes

https://github.com/jhipster/generator-jhipster/issues/2095

Patch

Vendor Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2015-20110

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2015-20110

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2015-20110

EUVD