GMS-2022-5123: generator-jhipster vulnerable to login check Regular Expression Denial of Service

October 6, 2022

Impact

For applications using JWT or session-based authentication (not OIDC), users can input a login string which can cause a denial of service, as parsing it will be too complex.

References

gist.github.com/atomfrede/311f8a9c6eb74c5c5226af0481155207
github.com/advisories/GHSA-8w7w-67mw-r5p7
github.com/jhipster/generator-jhipster/security/advisories/GHSA-8w7w-67mw-r5p7
www.jhipster.tech/2020/05/17/jhipster-release-6.9.0.html

Code Behaviors & Features

Detect and mitigate GMS-2022-5123 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →