generator-jhipster 6.8.0 vulnerabilities

Known vulnerabilities in the generator-jhipster package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Regular Expression Denial of Service (ReDoS) generator-jhipster is a development platform to generate, develop and deploy Spring Boot + Angular / React / Vue Web applications and Spring microservices. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in applications using JWT or session-based authentication (not OIDC), by allowing an attacker to input a login string which can cause a denial of service, as parsing will be too complex. Note The vulnerable expression was never officially released. Users might be affected only if they generated an application from the master branch between the identified releases. Workarounds Users who have created an application from the master branch, need to adapt the `LOGIN_REGEX` in `Constants.java`. The below regex pattern ^[a-zA-Z0-9!#$&'+=?^_`{\|}~.-]+@?[a-zA-Z0-9-]+(?:\\.[a-zA-Z0-9-]+)$ has to be changed to ^(?>[a-zA-Z0-9!$&+=?^_`{\|}~.-]+@[a-zA-Z0-9-]+(?:\\.[a-zA-Z0-9-]+))\|(?>[_.@A-Za-z0-9-]+)$ The `^[_.@A-Za-z0-9-]*$` pattern does not need to be changed, except if developers would like to support login with `+` sign (e.g. `foo+bar@example.com`). How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `generator-jhipster` to version 6.9.0 or higher.	>=6.8.0 <6.9.0
M Information Exposure generator-jhipster is a development platform to generate, develop and deploy Spring Boot + Angular / React / Vue Web applications and Spring microservices. Affected versions of this package are vulnerable to Information Exposure. On the user management webpage: `http://localhost:8080/admin/user-management`, it is possible to sort columns and the following URL can be observed when sorting by Login: `http://localhost:8080/admin/user-management?page=1&sort=login,desc` The data displayed on the screen is from the `generators/server/templates/src/main/java/package/domain/User.java.ejs` which contains data from the `jhi_user` database table. The issue is that some properties of the model contain security related data and that an administrator can sort them out. For example: `http://localhost:8080/admin/user-management?page=1&sort=password,desc` In this case, the password property is the password_hash column of the database. How to fix Information Exposure? Upgrade `generator-jhipster` to version 6.10.2 or higher.	<6.10.2
M Improper Output Neutralization for Logs generator-jhipster is a development platform to generate, develop and deploy Spring Boot + Angular / React / Vue Web applications and Spring microservices. Affected versions of this package are vulnerable to Improper Output Neutralization for Logs. User-provided text can be used to forge logs when using the API. How to fix Improper Output Neutralization for Logs? Upgrade `generator-jhipster` to version 6.9.0 or higher.	<6.9.0

Vulnerability

Vulnerable Version

Regular Expression Denial of Service (ReDoS)

generator-jhipster is a development platform to generate, develop and deploy Spring Boot + Angular / React / Vue Web applications and Spring microservices.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in applications using JWT or session-based authentication (not OIDC), by allowing an attacker to input a login string which can cause a denial of service, as parsing will be too complex.

** Note ** The vulnerable expression was never officially released. Users might be affected only if they generated an application from the master branch between the identified releases.

Workarounds

Users who have created an application from the master branch, need to adapt the LOGIN_REGEX in Constants.java. The below regex pattern

^[a-zA-Z0-9!#$&'*+=?^_`{|}~.-]+@?[a-zA-Z0-9-]+(?:\\.[a-zA-Z0-9-]+)*$

has to be changed to

^(?>[a-zA-Z0-9!$&*+=?^_`{|}~.-]+@[a-zA-Z0-9-]+(?:\\.[a-zA-Z0-9-]+)*)|(?>[_.@A-Za-z0-9-]+)$

The ^[_.@A-Za-z0-9-]*$ pattern does not need to be changed, except if developers would like to support login with + sign (e.g. foo+bar@example.com).

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade generator-jhipster to version 6.9.0 or higher.

>=6.8.0 <6.9.0

Information Exposure

generator-jhipster is a development platform to generate, develop and deploy Spring Boot + Angular / React / Vue Web applications and Spring microservices.

Affected versions of this package are vulnerable to Information Exposure. On the user management webpage: http://localhost:8080/admin/user-management, it is possible to sort columns and the following URL can be observed when sorting by Login: http://localhost:8080/admin/user-management?page=1&sort=login,desc

The data displayed on the screen is from the generators/server/templates/src/main/java/package/domain/User.java.ejs which contains data from the jhi_user database table. The issue is that some properties of the model contain security related data and that an administrator can sort them out. For example: http://localhost:8080/admin/user-management?page=1&sort=password,desc In this case, the password property is the password_hash column of the database.

How to fix Information Exposure?

Upgrade generator-jhipster to version 6.10.2 or higher.

<6.10.2

Improper Output Neutralization for Logs

generator-jhipster is a development platform to generate, develop and deploy Spring Boot + Angular / React / Vue Web applications and Spring microservices.

Affected versions of this package are vulnerable to Improper Output Neutralization for Logs. User-provided text can be used to forge logs when using the API.

How to fix Improper Output Neutralization for Logs?

Upgrade generator-jhipster to version 6.9.0 or higher.

<6.9.0

generator-jhipster@6.8.0 vulnerabilities

Spring Boot + Angular/React/Vue in one handy generator

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?

Workarounds