Advisories for Npm/Generator-Jhipster package

2023

generator-jhipster allows a timing attack against validateToken due to a string comparison that stops at the first character

JHipster generator-jhipster before 2.23.0 allows a timing attack against validateToken due to a string comparison that stops at the first character that is different. Attackers can guess tokens by brute forcing one character at a time and observing the timing. This of course drastically reduces the search space to a linear amount of guesses based on the token length times the possible characters.

2022

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

JHipster is a development platform to quickly generate, develop, & deploy modern web applications & microservice architectures. SQL Injection vulnerability in entities for applications generated with the option "reactive with Spring WebFlux" enabled and an SQL database using r2dbc. Applications created without "reactive with Spring WebFlux" and applications with NoSQL databases are not affected. Users who have generated a microservice Gateway using the affected version may be impacted as Gateways …

2019

High severity vulnerability that affects generator-jhipster

Generated code uses repository configuration that downloads over HTTP instead of HTTPS Impact Gradle users were using the http://repo.spring.io/plugins-release repositories in plain HTTP, and not HTTPS, so a man-in-the-middle attack was possible at build time. Patches Maven users should at least upgrade to 6.3.0 while Gradle users should update to 6.3.1. If you are not able to upgrade make sure not to use a Maven repository via http in your …