3,880 Pull Requests Generated to fix JHipster RNG Vulnerability CVE-2019-16303

[JLLeitschuh]

CVE ID(s)

• CVE-2019-16303

Fix resulted in one advisory being issued so far:

• GHSA-fqr4-97jj-j85v

The tracker issue that links to all 3,880 PRs can be found here:
JLLeitschuh/bulk-security-pr-generator#5

Report

This project is a collaboration with @jkschneider. This bounty should be split with him.

In 2019, I discovered a vulnerability in the JHipster code generator where it was generating vulnerable implementations of a class called RandomUtil.java.

Using one password reset token from these apps combined with the POC below, an attacker can determine all future password reset tokens to be generated by these vulnerable servers.
This would allow an attacker to pick and choose what account they would like to takeover by sending account password reset requests for targeted accounts.

POC code has existed since March 3rd, 2018 for taking one RNG value generated by RandomStringUtils and reversing it to generate all of the past/future RNG values.

The fix was generated for each vulnerable file, preserving the original style of the file, by the Rewrite project.
See the specific code for this fix here.

The source for the bot can be found here: https://github.com/JLLeitschuh/bulk-security-pr-generator

Query

The query associated with finding exact instances of this vulnerability can be found here:
github/codeql#4312

• Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing (Hopefully at GitHub Universe)

[xcorail]

Hey @JLLeitschuh 👋🏾
What is the impact so far? How many PRs merged, how many closed?
Thanks

[JLLeitschuh]

Hey @xcorail,

Looks like so far there have been 50 merged PRs and one official advisory issued. GHSA-fqr4-97jj-j85v

https://github.com/pulls?q=is%3Apr+is%3Aopen+author%3AJLLeitschuh+archived%3Afalse+sort%3Aupdated-desc+%5BSECURITY%5D+CVE-2019-16303+-+JHipster

[JLLeitschuh]

57 merged PRs so far

[ghsecuritylab]

Your submission is now in status SecLab finalize.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

[ghsecuritylab]

Your submission is now in status Pay.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

[xcorail]

Created Hackerone report 1065402 for bounty 267737 : [191] 3,880 Pull Requests Generated to fix JHipster RNG Vulnerability CVE-2019-16303

[ghsecuritylab]

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed