CVE-2020-4072

Description

### Impact We log the mail for invalid password reset attempts. As the email is provided by a user and the api is public this can be used by an attacker to forge log entries. This is vulnerable to https://cwe.mitre.org/data/definitions/117.html This problem affects only application generated with jwt or session authentication. Applications using oauth are not vulnerable. ### Patches version 1.7.0. ### Workarounds In `AccountResource.kt` you should change the line ```kotlin log.warn("Password reset requested for non existing mail '$mail'"); ``` to ```kotlin log.warn("Password reset requested for non existing mail"); ``` ### References * https://cwe.mitre.org/data/definitions/117.html * https://owasp.org/www-community/attacks/Log_Injection * https://www.baeldung.com/jvm-log-forging ### For more information If you have any questions or comments about this advisory: * Open an issue in [jhipster kotlin](https://github.com/jhipster/jhipster-kotlin)

How to fix CVE-2020-4072

To remediate CVE-2020-4072, upgrade the affected package to a fixed version below.

• —upgrade to 1.7.0 or later

Is CVE-2020-4072 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 1.6.0, < 1.7.0

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-4072
• WEBgithub.com/jhipster/jhipster-kotlin/commit/426ccab85e7e0da562643200637b99b6a2a99449
• WEBgithub.com/jhipster/jhipster-kotlin/security/advisories/GHSA-pfxf-wh96-fvjc
• WEBowasp.org/www-community/attacks/Log_Injection