Timing Attack Vulnerability in JHipster Generator-JHipster

Timing Attack Vulnerability in JHipster Generator-JHipster

CVE-2015-20110 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

JHipster generator-jhipster before 2.23.0 allows a timing attack against validateToken due to a string comparison that stops at the first character that is different. Attackers can guess tokens by brute forcing one character at a time and observing the timing. This of course drastically reduces the search space to a linear amount of guesses based on the token length times the possible characters.

Learn more about our Web Application Penetration Testing UK.