CVE-2019-16303

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-16303

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-16303.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-16303

Aliases

GHSA-j3rh-8vwq-wh84

Related

GHSA-mwp6-j9wf-968c

Published

2019-09-14T00:15:10Z

Modified

2025-07-29T08:25:50.442914Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A class generated by the Generator in JHipster before 6.3.0 and JHipster Kotlin through 1.1.0 produces code that uses an insecure source of randomness (apache.commons.lang3 RandomStringUtils). This allows an attacker (if able to obtain their own password reset URL) to compute the value for all other password resets for other accounts, thus allowing privilege escalation or account takeover.

References

Affected packages

Git / github.com/jhipster/generator-jhipster

Affected ranges

Type: GIT
Repo: https://github.com/jhipster/generator-jhipster
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

88448b85fd3e8e49df103f0061359037c2c68ea7

Affected versions

v0.*

v0.10.0

v0.10.1

v0.11.0

v0.12.0

v0.13.0

v0.14.0

v0.15.0

v0.16.0

v0.17.0

v0.17.1

v0.17.2

v0.18.0

v0.18.1

v0.3.1

v0.4.0

v0.5.0

v0.5.1

v0.5.2

v0.6.0

v0.6.1

v0.6.2

v0.7.0

v0.7.1

v0.8.0

v0.8.1

v0.8.2

v0.8.3

v0.8.4

v0.9.0

v0.9.1

v0.9.2

v0.9.3

v1.*

v1.0.0

v1.1.0

v1.1.1

v1.10.0

v1.2.0

v1.2.1

v1.2.2

v1.3.0

v1.4.0

v1.5.0

v1.6.0

v1.7.0

v1.7.1

v1.8.0

v1.8.1

v1.9.0

v2.*

v2.0.0

v2.1.0

v2.1.1

v2.10.0

v2.10.1

v2.11.0

v2.11.1

v2.12.0

v2.13.0

v2.13.1

v2.14.1

v2.14.2

v2.15.0

v2.15.1

v2.15.2

v2.16.0

v2.16.1

v2.17.0

v2.18.0

v2.19.0

v2.2.0

v2.20.0

v2.21.0

v2.21.1

v2.22.0

v2.23.0

v2.23.1

v2.24.0

v2.25.0

v2.26.0

v2.26.1

v2.26.2

v2.27.0

v2.3.0

v2.4.0

v2.5.0

v2.5.1

v2.5.2

v2.6.0

v2.7.0

v2.8.0

v2.9.0

v2.9.1

v2.9.2

v3.*

v3.0.0

v3.1.0

v3.10.0

v3.11.0

v3.12.0

v3.12.1

v3.2.0

v3.2.1

v3.3.0

v3.4.0

v3.4.1

v3.4.2

v3.5.0

v3.5.1

v3.6.0

v3.6.1

v3.7.0

v3.7.1

v3.8.0

v3.9.0

v3.9.1

v4.*

v4.0.0

v4.0.1

v4.0.2

v4.0.3

v4.0.4

v4.0.5

v4.0.6

v4.0.7

v4.0.8

v4.1.0

v4.1.1

v4.10.0

v4.10.1

v4.10.2

v4.11.0

v4.11.1

v4.12.0

v4.13.0

v4.13.1

v4.13.2

v4.13.3

v4.14.0

v4.2.0

v4.3.0

v4.4.0

v4.4.1

v4.5.0

v4.5.1

v4.5.2

v4.5.3

v4.5.4

v4.5.5

v4.5.6

v4.6.0

v4.6.1

v4.6.2

v4.7.0

v4.8.0

v4.8.1

v4.8.2

v4.9.0

v5.*

v5.0.0

v5.0.0-beta.0

v5.0.0-beta.1

v5.0.0-beta.2

v5.0.0-beta.3

v5.0.1

v5.0.2

v5.1.0

v5.2.0

v5.2.1

v5.3.0

v5.3.1

v5.3.2

v5.3.3

v5.3.4

v5.4.0

v5.4.1

v5.4.2

v5.5.0

v5.6.0

v5.6.1

v5.7.0

v5.7.1

v5.7.2

v5.8.0

v5.8.1

v6.*

v6.0.0

v6.0.0-beta.0

v6.0.1

v6.1.0

v6.1.1

v6.1.2

v6.2.0