Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1jODQteHI5cC05Mzhy

High severity vulnerability that affects generator-jhipster

Generated code uses repository configuration that downloads over HTTP instead of HTTPS

Impact

Gradle users were using the http://repo.spring.io/plugins-release repositories in plain HTTP, and not HTTPS, so a man-in-the-middle attack was possible at build time.

Patches

Maven users should at least upgrade to 6.3.0 while Gradle users should update to 6.3.1.
If you are not able to upgrade make sure not to use a Maven repository via http in your build file.

Workarounds

Replace all custom repository definitions in build.gradle or pom.xml with their https version.

e.g.

 <repository>
            <id>oss.sonatype.org-snapshot</id>
            <url>https://oss.sonatype.org/content/repositories/snapshots</url> // <-- must be httpS
            <releases>
                <enabled>false</enabled>
            </releases>
            <snapshots>
                <enabled>true</enabled>
            </snapshots>
</repository>

maven { url "https://repo.spring.io/plugins-release" } // <-- must be httpS

References

For more information

If you have any questions or comments about this advisory:

Permalink: https://github.com/advisories/GHSA-mc84-xr9p-938r
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1jODQteHI5cC05Mzhy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 4 years ago
Updated: over 1 year ago


CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-mc84-xr9p-938r
References: Repository: https://github.com/jhipster/generator-jhipster
Blast Radius: 33.3

Affected Packages

npm:generator-jhipster
Dependent packages: 198
Dependent repositories: 12,842
Downloads: 131,431 last month
Affected Version Ranges: < 6.3.1
Fixed in: 6.3.1
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.0.10, 0.0.11, 0.0.12, 0.0.13, 0.0.14, 0.0.15, 0.0.16, 0.0.17, 0.0.18, 0.0.19, 0.0.20, 0.0.21, 0.0.22, 0.0.23, 0.0.26, 0.0.27, 0.0.28, 0.0.29, 0.1.0, 0.2.0, 0.2.1, 0.3.0, 0.3.1, 0.4.0, 0.5.0, 0.5.1, 0.5.2, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.7.1, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.10.0, 0.10.1, 0.11.0, 0.12.0, 0.13.0, 0.14.0, 0.15.0, 0.16.0, 0.17.0, 0.17.1, 0.17.2, 0.18.0, 0.18.1, 1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.7.1, 1.8.0, 1.8.1, 1.9.0, 1.10.0, 1.10.1, 1.10.2, 2.0.0, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.9.1, 2.9.2, 2.10.0, 2.10.1, 2.11.0, 2.11.1, 2.12.0, 2.13.0, 2.13.1, 2.14.0, 2.14.1, 2.14.2, 2.15.0, 2.15.1, 2.15.2, 2.16.0, 2.16.1, 2.17.0, 2.18.0, 2.19.0, 2.20.0, 2.21.0, 2.21.1, 2.22.0, 2.23.0, 2.23.1, 2.24.0, 2.25.0, 2.26.0, 2.26.1, 2.26.2, 2.27.0, 2.27.1, 2.27.2, 3.0.0, 3.1.0, 3.2.0, 3.2.1, 3.3.0, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.5.1, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.8.0, 3.9.0, 3.9.1, 3.10.0, 3.11.0, 3.12.0, 3.12.1, 3.12.2, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.1.0, 4.1.1, 4.2.0, 4.3.0, 4.4.0, 4.4.1, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4, 4.5.5, 4.5.6, 4.6.0, 4.6.1, 4.6.2, 4.7.0, 4.8.0, 4.8.1, 4.8.2, 4.9.0, 4.10.0, 4.10.1, 4.10.2, 4.11.0, 4.11.1, 4.12.0, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0, 4.14.1, 4.14.2, 4.14.3, 4.14.4, 4.14.5, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.2.0, 5.2.1, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.4.0, 5.4.1, 5.4.2, 5.5.0, 5.6.0, 5.6.1, 5.7.0, 5.7.1, 5.7.2, 5.8.0, 5.8.1, 5.8.2, 6.0.0, 6.0.1, 6.1.0, 6.1.1, 6.1.2, 6.2.0, 6.3.0
All unaffected versions: 6.3.1, 6.4.0, 6.4.1, 6.5.0, 6.5.1, 6.6.0, 6.7.0, 6.7.1, 6.8.0, 6.9.0, 6.9.1, 6.10.0, 6.10.1, 6.10.2, 6.10.3, 6.10.4, 6.10.5, 7.0.0, 7.0.1, 7.1.0, 7.2.0, 7.3.0, 7.3.1, 7.4.0, 7.4.1, 7.5.0, 7.6.0, 7.7.0, 7.8.0, 7.8.1, 7.9.0, 7.9.1, 7.9.2, 7.9.3, 7.9.4, 8.0.0, 8.1.0, 8.2.0, 8.2.1, 8.3.0, 8.4.0