Home > Vulnerability Database > CVE-2015-20110

Mend.io Vulnerability Database

CVE-2015-20110

Good to know:

Date: October 30, 2023

JHipster generator-jhipster before 2.23.0 allows a timing attack against validateToken due to a string comparison that stops at the first character that is different. Attackers can guess tokens by brute forcing one character at a time and observing the timing. This of course drastically reduces the search space to a linear amount of guesses based on the token length times the possible characters.

Language: TYPE_SCRIPT

Severity Score

7.5

Related Resources (7)

Url: https://github.com/jhipster/generator-jhipster/commit/79fe5626cb1bb80f9ac86cf46980748e65d2bdbc

Url: https://nvd.nist.gov/vuln/detail/CVE-2015-20110

Url: https://github.com/jhipster/generator-jhipster/issues/2095

Url: https://github.com/jhipster/generator-jhipster

Url: https://github.com/jhipster/generator-jhipster/compare/v2.22.0...v2.23.0

Url: https://github.com/jhipster/generator-jhipster/commit/7c49ab3d45dc4921b831a2ca55fb1e2a2db1ee25

Url: https://www.mend.io/vulnerability-database/CVE-2015-20110

Severity Score

7.5

Weakness Type (CWE)

Observable Timing Discrepancy

CWE-208

Improper Restriction of Excessive Authentication Attempts

CWE-307

Top Fix

Upgrade Version

Upgrade to version generator-jhipster - 2.23.0

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2015-20110

Good to know:

Date: October 30, 2023

Language: TYPE_SCRIPT

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?