Homepage
About Snyk

generator-jhipster@6.8.0 vulnerabilities

Spring Boot + Angular/React/Vue in one handy generator

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the generator-jhipster package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Regular Expression Denial of Service (ReDoS)

generator-jhipster is a development platform to generate, develop and deploy Spring Boot + Angular / React / Vue Web applications and Spring microservices.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in applications using JWT or session-based authentication (not OIDC), by allowing an attacker to input a login string which can cause a denial of service, as parsing will be too complex.

** Note ** The vulnerable expression was never officially released. Users might be affected only if they generated an application from the master branch between the identified releases.

Workarounds

Users who have created an application from the master branch, need to adapt the LOGIN_REGEX in Constants.java. The below regex pattern

^[a-zA-Z0-9!#$&'*+=?^_`{|}~.-]+@?[a-zA-Z0-9-]+(?:\\.[a-zA-Z0-9-]+)*$

has to be changed to 

^(?>[a-zA-Z0-9!$&*+=?^_`{|}~.-]+@[a-zA-Z0-9-]+(?:\\.[a-zA-Z0-9-]+)*)|(?>[_.@A-Za-z0-9-]+)$

The ^[_.@A-Za-z0-9-]*$ pattern does not need to be changed, except if developers would like to support login with + sign (e.g. foo+bar@example.com).

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade generator-jhipster to version 6.9.0 or higher.

>=6.8.0 <6.9.0
  • M
Information Exposure

generator-jhipster is a development platform to generate, develop and deploy Spring Boot + Angular / React / Vue Web applications and Spring microservices.

Affected versions of this package are vulnerable to Information Exposure. On the user management webpage: http://localhost:8080/admin/user-management, it is possible to sort columns and the following URL can be observed when sorting by Login: http://localhost:8080/admin/user-management?page=1&sort=login,desc

The data displayed on the screen is from the generators/server/templates/src/main/java/package/domain/User.java.ejs which contains data from the jhi_user database table. The issue is that some properties of the model contain security related data and that an administrator can sort them out. For example: http://localhost:8080/admin/user-management?page=1&sort=password,desc In this case, the password property is the password_hash column of the database.

How to fix Information Exposure?

Upgrade generator-jhipster to version 6.10.2 or higher.

<6.10.2
  • M
Improper Output Neutralization for Logs

generator-jhipster is a development platform to generate, develop and deploy Spring Boot + Angular / React / Vue Web applications and Spring microservices.

Affected versions of this package are vulnerable to Improper Output Neutralization for Logs. User-provided text can be used to forge logs when using the API.

How to fix Improper Output Neutralization for Logs?

Upgrade generator-jhipster to version 6.9.0 or higher.

<6.9.0
Go back to all versions of this package