CVE-2019-16303: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

September 14, 2019 (updated September 16, 2019)

A class generated by the Generator in JHipster produces code that uses an insecure source of randomness (apache.commons.lang3 RandomStringUtils). This allows an attacker (if able to obtain their own password reset URL) to compute the value for all other password resets for other accounts, thus allowing privilege escalation or account takeover.

References

nvd.nist.gov/vuln/detail/CVE-2019-16303
www.jhipster.tech/2019/09/13/jhipster-release-6.3.0.html

Detect and mitigate CVE-2019-16303 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →