generator-jhipster-entity-audit Remote Code Execution Vulnerability via Unsafe Reflection

A remote code execution vulnerability has been identified in the JHipster module 'generator-jhipster-entity-audit', specifically in versions through 5.9.0. The issue arises when Javers is selected as the Entity Audit Framework, allowing unsafe reflection that could be exploited if an attacker places malicious classes into the classpath and accesses certain REST endpoints. The vulnerability is caused by user input being used to load classes without proper validation, enabling the execution of arbitrary code.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where the application is running.

Reproduction

To reproduce this vulnerability, first upload a malicious class into the classpath, ensuring it resides within a package that JHipster applications can access. Then, with a user account that has ADMIN privileges, call the REST endpoint designed to fetch audit changes for an entity. When prompted for the 'entityType' or 'qualifiedName', insert the name of the malicious class. The application will load the class, triggering the execution of any static code within it.

Remediation

Users can upgrade to version 5.9.1 or later to address this vulnerability.