JHipster generator-jhipster before 2.23.0 allows a timing attack against validateToken due to a string comparison that stops at the first character that is different. Attackers can guess tokens by brute forcing one character at a time and observing the timing. This of course drastically reduces the search space to a linear amount of guesses based on the token length times the possible characters.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| generator-jhipster(npm) | 0 | 2.23.0 | N/A |
CVSS Metrics
