GHSA-PFXF-WH96-FVJC

Vulnerability from github – Published: 2020-06-25 20:02 – Updated: 2021-01-07 23:50
VLAI?
Summary
Log Forging in generator-jhipster-kotlin
Details

Impact

We log the mail for invalid password reset attempts. As the email is provided by a user and the api is public this can be used by an attacker to forge log entries. This is vulnerable to https://cwe.mitre.org/data/definitions/117.html

This problem affects only application generated with jwt or session authentication. Applications using oauth are not vulnerable.

Patches

version 1.7.0.

Workarounds

In AccountResource.kt you should change the line

 log.warn("Password reset requested for non existing mail '$mail'");

to 

 log.warn("Password reset requested for non existing mail");

References

  • https://cwe.mitre.org/data/definitions/117.html
  • https://owasp.org/www-community/attacks/Log_Injection
  • https://www.baeldung.com/jvm-log-forging

For more information

If you have any questions or comments about this advisory: * Open an issue in jhipster kotlin

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "generator-jhipster-kotlin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.6.0"
            },
            {
              "fixed": "1.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.6.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2020-4072"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-117"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-25T20:02:31Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nWe log the mail for invalid password reset attempts. \nAs the email is provided by a user and the api is public this can be used by an attacker to forge log entries.\nThis is vulnerable to https://cwe.mitre.org/data/definitions/117.html\n\nThis problem affects only application generated with jwt or session authentication. Applications using oauth are not vulnerable.\n\n### Patches\n\nversion 1.7.0.\n\n### Workarounds\n\nIn `AccountResource.kt` you should change the line\n\n```kotlin\n log.warn(\"Password reset requested for non existing mail \u0027$mail\u0027\");\n```\n\nto \n\n```kotlin\n log.warn(\"Password reset requested for non existing mail\");\n```\n\n### References\n\n* https://cwe.mitre.org/data/definitions/117.html\n* https://owasp.org/www-community/attacks/Log_Injection\n* https://www.baeldung.com/jvm-log-forging\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [jhipster kotlin](https://github.com/jhipster/jhipster-kotlin)",
  "id": "GHSA-pfxf-wh96-fvjc",
  "modified": "2021-01-07T23:50:00Z",
  "published": "2020-06-25T20:02:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jhipster/jhipster-kotlin/security/advisories/GHSA-pfxf-wh96-fvjc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4072"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jhipster/jhipster-kotlin/commit/426ccab85e7e0da562643200637b99b6a2a99449"
    },
    {
      "type": "WEB",
      "url": "https://owasp.org/www-community/attacks/Log_Injection"
    },
    {
      "type": "WEB",
      "url": "https://www.baeldung.com/jvm-log-forging"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Log Forging in generator-jhipster-kotlin"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.