Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in StreamPipes

#VU93120 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in StreamPipes

Published: 2024-06-28

Vulnerability identifier: #VU93120

Vulnerability risk: High

CVSSv3.1: 8.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2024-29868

CWE-ID: CWE-338

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
StreamPipes
Server applications / Other server solutions

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to compromise accounts of application users.

The vulnerability exists due to usage of a weak pseudo-random number generator for recovery tokens. A remote attacker can use the self-registration and password recovery mechanism to take over an arbitrary user account.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

StreamPipes: 0.69.0 - 0.93.0

External links
http://lists.apache.org/thread/zqn5z48gz7bp0q8ctk96ht8bc7vd3njv

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Account takeover in Apache StreamPipes