Apache StreamPipes 0.69.00.93.0 CRNG Weak PRNG Vulnerability
CVE-2024-29868 Published on June 24, 2024
Apache StreamPipes, Apache StreamPipes: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Recovery Token Generation
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism.
This allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account.
This issue affects Apache StreamPipes: from 0.69.0 through 0.93.0.
Users are recommended to upgrade to version 0.95.0, which fixes the issue.
Vulnerability Analysis
CVE-2024-29868 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is a PRNG Vulnerability?
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
CVE-2024-29868 has been classified to as a PRNG vulnerability or weakness.
Products Associated with CVE-2024-29868
Want to know whenever a new CVE is published for Apache Streampipes? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache StreamPipes:- Version 0.69.0, <= 0.93.0 is affected.
- Version 0.69.0, <= 0.93.0 is affected.
- Version 0.69.0 and below 0.95.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.