oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2024-29868: Apache StreamPipes, Apache StreamPipes: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Recovery Token Generation

From: Dominik Riemer <riemer () apache org>
Date: Sat, 22 Jun 2024 12:34:27 +0000
Severity: important

Affected versions:

- Apache StreamPipes 0.69.0 through 0.93.0
- Apache StreamPipes 0.69.0 through 0.93.0

Description:

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user 
self-registration and password recovery mechanism.
This allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's 
account.
This issue affects Apache StreamPipes: from 0.69.0 through 0.93.0.

Users are recommended to upgrade to version 0.95.0, which fixes the issue.

Credit:

Alessandro Albani, Digital Security Division Var Group (finder)

References:

https://streampipes.apache.org
https://www.cve.org/CVERecord?id=CVE-2024-29868
Previous By Date Next
Previous By Thread Next

Current thread: