Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-29868

CWE-3385 documents5 sources

Severity

9.1CRITICAL

EPSS

78.4%

top 0.97%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Apache Software Foundation Apache Streampipes Apache Streampipes

Timeline

PublishedJun 24

Description

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism. This allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account. This issue affects Apache StreamPipes: from 0.69.0 through 0.93.0. Users are recommended to upgrade to version 0.95.0, which fixes the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages3 packages

▶Mavenorg.apache.streampipes:streampipes-resource-management0.69.0 — 0.95.0

▶NVDapache/streampipes0.69.0 — 0.93.0

▶CVEListV5apache_software_foundation/apache_streampipes0.69.0 — 0.93.0

🔴Vulnerability Details

CVEList

Apache StreamPipes, Apache StreamPipes: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Recovery Token Generation↗2024-06-24

▶

GHSA

Apache StreamPipes: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Recovery Token Generation↗2024-06-24

▶

OSV

Apache StreamPipes: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Recovery Token Generation↗2024-06-24

▶

💥Exploits & PoCs

Nuclei

Apache StreamPipes <= 0.93.0 - Use of Cryptographically Weak PRNG in Recovery Token Generation

▶