-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathJHipsterGeneratedPRNG.qhelp
More file actions
58 lines (45 loc) · 2.45 KB
/
JHipsterGeneratedPRNG.qhelp
File metadata and controls
58 lines (45 loc) · 2.45 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>This query detects instances of <code>RandomUtil.java</code> that were generated by a <a href="https://www.jhipster.tech/">JHipster</a> version that is vulnerable to <a href="https://github.com/jhipster/jhipster-kotlin/security/advisories/GHSA-j3rh-8vwq-wh84">CVE-2019-16303</a>.</p>
<p>If an app uses <code>RandomUtil.java</code> generated by a vulnerable version of JHipster, attackers can request a password reset token and use this to predict the value of future reset tokens generated by this server.
Using this information, they can create a reset link that allows them to take over any account.</p>
<p>This vulnerability has a
<a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2019-16303&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1&source=NIST">
CVSS v3.0 Base Score of 9.8/10
</a>.</p>
</overview>
<example>
<p>The example below shows the vulnerable <code>RandomUtil</code> class generated by <a href="https://www.jhipster.tech/2019/09/13/jhipster-release-6.3.0.html">JHipster prior to version 6.3.0</a>.</p>
<sample src="JHipsterGeneratedPRNGVulnerable.java" />
<p>Below is a fixed version of the <code>RandomUtil</code> class.</p>
<sample src="JHipsterGeneratedPRNGFixed.java" />
</example>
<recommendation>
<p>You should refactor the <code>RandomUtil</code> class and replace every call to <code>RandomStringUtils.randomAlphaNumeric</code>. You could regenerate the class using the latest version of JHipster, or use an automated refactoring. For example, using the <a href="https://github.com/moderneinc/jhipster-cwe-338">Patching JHipster CWE-338</a> for the <a href="https://github.com/openrewrite/rewrite">Rewrite project</a>.
</p>
</recommendation>
<references>
<li>
Cloudflare Blog:
<a href="https://blog.cloudflare.com/why-randomness-matters/">
Why secure systems require random numbers
</a>
</li>
<li>
Hacker News:
<a href="https://news.ycombinator.com/item?id=639976">
How I Hacked Hacker News (with arc security advisory)
</a>
</li>
<li>
Posts by Pucara Information Security Team:
<a href="https://blog.pucarasec.com/2020/05/09/the-java-soothsayer-a-practical-application-for-insecure-randomness-includes-free-0day/">
The Java Soothsayer: A practical application for insecure randomness. (Includes free 0day)
</a>
</li>
<!-- LocalWords: CWE random RNG PRNG CSPRNG SecureRandom JHipster -->
</references>
</qhelp>