Headline
GHSA-4gpm-r23h-gprw: generator-jhipster allows a timing attack against validateToken due to a string comparison that stops at the first character
JHipster generator-jhipster before 2.23.0 allows a timing attack against validateToken due to a string comparison that stops at the first character that is different. Attackers can guess tokens by brute forcing one character at a time and observing the timing. This of course drastically reduces the search space to a linear amount of guesses based on the token length times the possible characters.
generator-jhipster allows a timing attack against validateToken due to a string comparison that stops at the first character
Moderate severity GitHub Reviewed Published Oct 31, 2023 to the GitHub Advisory Database • Updated Oct 31, 2023
Related news
JHipster generator-jhipster before 2.23.0 allows a timing attack against validateToken due to a string comparison that stops at the first character that is different. Attackers can guess tokens by brute forcing one character at a time and observing the timing. This of course drastically reduces the search space to a linear amount of guesses based on the token length times the possible characters.