Information Exposure Affecting generator-jhipster package, versions <6.10.2
Snyk CVSS
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-GENERATORJHIPSTER-608849
- published 29 Sep 2020
- disclosed 27 Aug 2020
- credit cbornet
How to fix?
Upgrade generator-jhipster to version 6.10.2 or higher.
Overview
generator-jhipster is a development platform to generate, develop and deploy Spring Boot + Angular / React / Vue Web applications and Spring microservices.
Affected versions of this package are vulnerable to Information Exposure. On the user management webpage: http://localhost:8080/admin/user-management, it is possible to sort columns and the following URL can be observed when sorting by Login:
http://localhost:8080/admin/user-management?page=1&sort=login,desc
The data displayed on the screen is from the generators/server/templates/src/main/java/package/domain/User.java.ejs which contains data from the jhi_user database table. The issue is that some properties of the model contain security related data and that an administrator can sort them out. For example:
http://localhost:8080/admin/user-management?page=1&sort=password,desc
In this case, the password property is the password_hash column of the database.