This query detects instances of RandomUtil.java that were generated by a JHipster version that is vulnerable to CVE-2019-16303.

If an app uses RandomUtil.java generated by a vulnerable version of JHipster, attackers can request a password reset token and use this to predict the value of future reset tokens generated by this server. Using this information, they can create a reset link that allows them to take over any account.

This vulnerability has a CVSS v3.0 Base Score of 9.8/10 .

The example below shows the vulnerable RandomUtil class generated by JHipster prior to version 6.3.0.

Below is a fixed version of the RandomUtil class.

You should refactor the RandomUtil class and replace every call to RandomStringUtils.randomAlphaNumeric. You could regenerate the class using the latest version of JHipster, or use an automated refactoring. For example, using the Patching JHipster CWE-338 for the Rewrite project.

Cloudflare Blog: Why secure systems require random numbers

Hacker News: How I Hacked Hacker News (with arc security advisory)

Posts by Pucara Information Security Team: The Java Soothsayer: A practical application for insecure randomness. (Includes free 0day)