High severity vulnerability that affects generator-jhipster

Generated code uses repository configuration that downloads over HTTP instead of HTTPS

Impact

Gradle users were using the http://repo.spring.io/plugins-release repositories in plain HTTP, and not HTTPS, so a man-in-the-middle attack was possible at build time.

Patches

Maven users should at least upgrade to 6.3.0 while Gradle users should update to 6.3.1. If you are not able to upgrade make sure not to use a Maven repository via http in your build file.

Workarounds

Replace all custom repository definitions in build.gradle or pom.xml with their https version.

e.g.

 &lt;repository&gt;
            &lt;id&gt;oss.sonatype.org-snapshot&lt;/id&gt;
            &lt;url&gt;https://oss.sonatype.org/content/repositories/snapshots&lt;/url&gt; // &lt;-- must be httpS
            &lt;releases&gt;
                &lt;enabled&gt;false&lt;/enabled&gt;
            &lt;/releases&gt;
            &lt;snapshots&gt;
                &lt;enabled&gt;true&lt;/enabled&gt;
            &lt;/snapshots&gt;
&lt;/repository&gt;

maven { url &quot;https://repo.spring.io/plugins-release&quot; } // &lt;-- must be httpS

References

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/

For more information

If you have any questions or comments about this advisory:

Open an issue in https://github.com/jhipster/generator-jhipster/issues

Published: Sep 23, 2019
Updated: Apr 14, 2023
GHSA: GHSA-mc84-xr9p-938r
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

Affected Software
References

Software	From	Fixed in
generator-jhipster	-	6.3.1

Vulnerability Database

300,926