CVE-2025-43712 (CNNVD-202507-3156)
中文标题:
JHipster 安全漏洞
英文标题:
JHipster before v.8.9.0 allows privilege escalation via a modified authorities parameter. Upon regis...
漏洞描述
中文描述:
JHipster是一款开源的应用程序生成器,它主要使用Angular或React和Spring Framework开发Web应用程序和微服务。 JHipster 8.9.0之前版本存在安全漏洞,该漏洞源于authorities参数未经验证,可能导致权限提升。
英文描述:
JHipster before v.8.9.0 allows privilege escalation via a modified authorities parameter. Upon registering in the JHipster portal and logging in as a standard user, the authorities parameter in the response from the api/account endpoint contains the value ROLE_USER. By manipulating the authorities parameter and changing its value to ROLE_ADMIN, the privilege is successfully escalated to an Admin level. This allowed the access to all admin-related functionalities in the application. NOTE: this is disputed by the Supplier because there is no privilege escalation in the context of the JHipster backend (the report only demonstrates that, after using JHipster to generate an application, one can make a non-functional admin screen visible in the front end of that application).
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| JHipster | JHipster | - | - | - |
cpe:2.3:a:jhipster:jhipster:*:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
3.1 (cna)
LOWCVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-43712 |
2025-11-11 15:23:21 | 2025-11-11 07:40:32 |
| NVD | nvd_CVE-2025-43712 |
2025-11-11 15:00:57 | 2025-11-11 07:48:20 |
| CNNVD | cnnvd_CNNVD-202507-3156 |
2025-11-11 15:12:51 | 2025-11-11 08:00:02 |
版本与语言
安全公告
变更历史
查看详细变更
- vulnerability_type: 未提取 -> 其他
- cnnvd_id: 未提取 -> CNNVD-202507-3156
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- data_sources: ['cve'] -> ['cve', 'nvd']