cbcvebase.
CVE-2024-29868
published 2024-06-24

CVE-2024-29868: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism…

PriorityP266critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
6.00%
92.4th percentile
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism. This allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account. This issue affects Apache StreamPipes: from 0.69.0 through 0.93.0. Users are recommended to upgrade to version 0.95.0, which fixes the issue.

Affected

2 ranges
VendorProductVersion rangeFixed in
apachestreampipes0.69.0 – 0.93.0
apache_software_foundationapache_streampipes0.69.0 – 0.93.0

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerable versions of Apache StreamPipes span from 0.69.0 through 0.93.0; any deployment in this range is susceptible to weak PRNG token guessing attacks against user self-registration and password recovery endpoints.
  • The attack vector targets the user self-registration and password recovery mechanism; monitor for abnormally high or rapid requests to password-reset/token-validation endpoints, which may indicate brute-force token guessing.
  • ·The fix is only present in version 0.95.0 and later; versions 0.69.0–0.93.0 are confirmed vulnerable. Version 0.94.0 is not explicitly listed as patched, so treat it as potentially vulnerable until confirmed otherwise.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.