CVE-2019-16303

A class generated by the Generator in JHipster before 6.3.0 and JHipster Kotlin through 1.1.0 produces code that uses an insecure source of randomness (apache.commons.lang3 RandomStringUtils). This allows an attacker (if able to obtain their own password reset URL) to compute the value for all other password resets for other accounts, thus allowing privilege escalation or account takeover.

Published: Sep 14, 2019
Updated: Nov 9, 2025
CVE: CVE-2019-16303
GHSA: GHSA-j3rh-8vwq-wh84
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-338

Affected Software
References

Software	From	Fixed in
jhipster / jhipster	-	6.3.0
jhipster / jhipster_kotlin	-	1.1.0.x
generator-jhipster-kotlin	-	1.2.0

https://github.com/jhipster/generator-jhipster/commit/88448b85fd3e8e49df103f0061359037c2c68ea7
https://github.com/jhipster/generator-jhipster/issues/10401
https://github.com/jhipster/generator-jhipster/security/advisories/GHSA-mwp6-j9wf-968c
https://github.com/jhipster/jhipster-kotlin/commit/deec3587ef7721cf5de5b960d43e9b68beff6193
https://github.com/jhipster/jhipster-kotlin/issues/183
https://github.com/jhipster/jhipster-kotlin/security/advisories/GHSA-j3rh-8vwq-wh84
https://lists.apache.org/thread.html/r6d243e7e3f25daeb242dacf3def411fba32a9388d3ff84918cb28ddd@%3Cissues.commons.apache.org%3E
https://lists.apache.org/thread.html/r6d243e7e3f25daeb242dacf3def411fba32a9388d3ff84918cb28ddd%40%3Cissues.commons.apache.org%3E
https://lists.apache.org/thread.html/rc3f00f5d3d2ec0e2381a3b9096d5f5b4d46ec1587ee7e251a3dbb897@%3Cissues.commons.apache.org%3E
https://lists.apache.org/thread.html/rc3f00f5d3d2ec0e2381a3b9096d5f5b4d46ec1587ee7e251a3dbb897%40%3Cissues.commons.apache.org%3E
https://lists.apache.org/thread.html/rc87fa35a48b5d70b06af6fb81785ed82e82686eb83307aae6d250dc9@%3Cissues.commons.apache.org%3E
https://lists.apache.org/thread.html/rc87fa35a48b5d70b06af6fb81785ed82e82686eb83307aae6d250dc9%40%3Cissues.commons.apache.org%3E
https://snyk.io/vuln/SNYK-JS-GENERATORJHIPSTER-466980
https://www.jhipster.tech/2019/09/13/jhipster-release-6.3.0.html
https://www.npmjs.com/advisories/1187
https://www.npmjs.com/advisories/1188

Vulnerability Database

300,926

CVE-2019-16303

Deep Security Visibility Without the Complexity