Описание
High severity vulnerability that affects generator-jhipster
Generated code uses repository configuration that downloads over HTTP instead of HTTPS
Impact
Gradle users were using the http://repo.spring.io/plugins-release repositories in plain HTTP, and not HTTPS, so a man-in-the-middle attack was possible at build time.
Patches
Maven users should at least upgrade to 6.3.0 while Gradle users should update to 6.3.1.
If you are not able to upgrade make sure not to use a Maven repository via http in your build file.
Workarounds
Replace all custom repository definitions in build.gradle or pom.xml with their https version.
e.g.
<repository>
<id>oss.sonatype.org-snapshot</id>
<url>https://oss.sonatype.org/content/repositories/snapshots</url> // <-- must be httpS
<releases>
<enabled>false</enabled>
</releases>
<snapshots>
<enabled>true</enabled>
</snapshots>
</repository>
maven { url "https://repo.spring.io/plugins-release" } // <-- must be httpS
References
- https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/
For more information
If you have any questions or comments about this advisory:
- Open an issue in https://github.com/jhipster/generator-jhipster/issues
Пакеты
Наименование
generator-jhipster
npm
Затронутые версииВерсия исправления
< 6.3.1
6.3.1
8.1 High
CVSS3
Дефекты
CWE-494
CWE-829
8.1 High
CVSS3
Дефекты
CWE-494
CWE-829