JHipster generator-jhipster before 2.23.0 allows a timing attack against validateToken due to a string comparison that stops at the first character that is different. Attackers can guess tokens by brute forcing one character at a time and observing the timing. This of course drastically reduces the search space to a linear amount of guesses based on the token length times the possible characters.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-10-31T00:00:00

Updated: 2024-09-06T18:28:17.077Z

Reserved: 2023-10-31T00:00:00

Link: CVE-2015-20110

cve-icon Vulnrichment

Updated: 2024-08-06T08:58:26.495Z

cve-icon NVD

Status : Analyzed

Published: 2023-10-31T03:15:07.613

Modified: 2023-11-08T17:39:35.023

Link: CVE-2015-20110

cve-icon Redhat

No data.