CVE-2020-4072

In generator-jhipster-kotlin version 1.6.0 log entries are created for invalid password reset attempts. As the email is provided by a user and the api is public this can be used by an attacker to forge log entries. This is vulnerable to https://cwe.mitre.org/data/definitions/117.html This problem affects only application generated with jwt or session authentication. Applications using oauth are not vulnerable. This issue has been fixed in version 1.7.0.

In generator-jhipster-kotlin version 1.6.0 log entries are created for invalid password reset attempts. As the email is provided by a user and the api is public this can be used by an attacker to forge log entries. This is vulnerable to https://cwe.mitre.org/data/definitions/117.html This problem affects only application generated with jwt or session authentication. Applications using oauth are not vulnerable. This issue has been fixed in version 1.7.0.

### Impact We log the mail for invalid password reset attempts. As the email is provided by a user and the api is public this can be used by an attacker to forge log entries. This is vulnerable to https://cwe.mitre.org/data/definitions/117.html This problem affects only application generated with jwt or session authentication. Applications using oauth are not vulnerable. ### Patches version 1.7.0. ### Workarounds In `AccountResource.kt` you should change the line ```kotlin log.warn("Password reset requested for non existing mail '$mail'"); ``` to ```kotlin log.warn("Password reset requested for non existing mail"); ``` ### References * https://cwe.mitre.org/data/definitions/117.html * https://owasp.org/www-community/attacks/Log_Injection * https://www.baeldung.com/jvm-log-forging ### For more information If you have any questions or comments about this advisory: * Open an issue in [jhipster kotlin](https://github.com/jhipster/jhipster-kotlin)

### Impact We log the mail for invalid password reset attempts. As the email is provided by a user and the api is public this can be used by an attacker to forge log entries. This is vulnerable to https://cwe.mitre.org/data/definitions/117.html This problem affects only application generated with jwt or session authentication. Applications using oauth are not vulnerable. ### Patches version 1.7.0. ### Workarounds In `AccountResource.kt` you should change the line ```kotlin log.warn("Password reset requested for non existing mail '$mail'"); ``` to ```kotlin log.warn("Password reset requested for non existing mail"); ``` ### References * https://cwe.mitre.org/data/definitions/117.html * https://owasp.org/www-community/attacks/Log_Injection * https://www.baeldung.com/jvm-log-forging ### For more information If you have any questions or comments about this advisory: * Open an issue in [jhipster kotlin](https://github.com/jhipster/jhipster-kotlin)

En generator-jhipster-kotlin versión 1.6.0, son creadas entradas de registro para intentos de restablecimiento de contraseña no válidos. Como el correo electrónico lo proporciona un usuario y la API es pública, un atacante puede usarla para falsificar entradas de registro. Esto es vulnerable para https://cwe.mitre.org/data/definitions/117.html. Este problema afecta solo a las aplicaciones generadas con jwt o autenticación de sesión. Las aplicaciones que usan oauth no son vulnerables. Este problema ha sido corregido en la versión 1.7.0