CVE-2019-16303: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

September 13, 2019 (updated September 16, 2019)

A class generated by the Generator in JHipster produces code that uses an insecure source of randomness. This allows an attacker (if able to obtain their own password reset URL) to compute the value for all other password resets for other accounts, thus allowing privilege escalation or account takeover.

References

nvd.nist.gov/vuln/detail/CVE-2019-16303
www.jhipster.tech/2019/09/13/jhipster-release-6.3.0.html

Code Behaviors & Features

Detect and mitigate CVE-2019-16303 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →