CVE-2020-4072

Name of the Vulnerable Software and Affected Versions generator-jhipster-kotlin version 1.6.0

Description The issue allows an attacker to forge log entries by creating log entries for invalid password reset attempts. This can be exploited because the email is provided by a user and the API is public. The problem affects only applications generated with JWT or session authentication, while applications using OAuth are not vulnerable.

Recommendations For generator-jhipster-kotlin version 1.6.0, as a temporary workaround, consider modifying the AccountResource.kt file by changing the line log.warn("Password reset requested for non existing mail '$mail'"); to log.warn("Password reset requested for non existing mail");. To fully resolve the issue, update to version 1.7.0.