fkie_cve-2025-31119
Vulnerability from fkie_nvd
Published
2025-04-03 20:15
Modified
2025-04-07 14:18
Severity ?
Summary
generator-jhipster-entity-audit is a JHipster module to enable entity audit and audit log page. Prior to 5.9.1, generator-jhipster-entity-audit allows unsafe reflection when having Javers selected as Entity Audit Framework. If an attacker manages to place some malicious classes into the classpath and also has access to these REST interface for calling the mentioned REST endpoints, using these lines of code can lead to unintended remote code execution. This vulnerability is fixed in 5.9.1.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "generator-jhipster-entity-audit is a JHipster module to enable entity audit and audit log page. Prior to 5.9.1, generator-jhipster-entity-audit allows unsafe reflection when having Javers selected as Entity Audit Framework. If an attacker manages to place some malicious classes into the classpath and also has access to these REST interface for calling the mentioned REST endpoints, using these lines of code can lead to unintended remote code execution. This vulnerability is fixed in 5.9.1."
},
{
"lang": "es",
"value": "generator-jhipster-entity-audit es un m\u00f3dulo de JHipster que habilita la auditor\u00eda de entidades y la p\u00e1gina de registro de auditor\u00eda. En versiones anteriores a la versi\u00f3n 5.9.1, generator-jhipster-entity-audit permit\u00eda la reflexi\u00f3n insegura al seleccionar Javers como marco de auditor\u00eda de entidades. Si un atacante logra insertar clases maliciosas en la ruta de clases y, adem\u00e1s, tiene acceso a estas interfaces REST para llamar a los endpoints REST mencionados, el uso de estas l\u00edneas de c\u00f3digo puede provocar la ejecuci\u00f3n remota no intencionada de c\u00f3digo. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 5.9.1."
}
],
"id": "CVE-2025-31119",
"lastModified": "2025-04-07T14:18:34.453",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-04-03T20:15:25.223",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/jhipster/generator-jhipster-entity-audit/blob/e21e83135d10c77d92203c89cb0b0063914e8fe0/generators/spring-boot-javers/templates/src/main/java/_package_/web/rest/JaversEntityAuditResource.java.ejs#L88"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/jhipster/generator-jhipster-entity-audit/security/advisories/GHSA-7rmp-3g9f-cvq8"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-470"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…