|
Message-ID: <f12ea63a-0161-df46-ebe8-37569bfdb4f6@apache.org> Date: Sat, 22 Jun 2024 12:34:27 +0000 From: Dominik Riemer <riemer@...che.org> To: oss-security@...ts.openwall.com Subject: CVE-2024-29868: Apache StreamPipes, Apache StreamPipes: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Recovery Token Generation Severity: important Affected versions: - Apache StreamPipes 0.69.0 through 0.93.0 - Apache StreamPipes 0.69.0 through 0.93.0 Description: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism. This allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account. This issue affects Apache StreamPipes: from 0.69.0 through 0.93.0. Users are recommended to upgrade to version 0.95.0, which fixes the issue. Credit: Alessandro Albani, Digital Security Division Var Group (finder) References: https://streampipes.apache.org https://www.cve.org/CVERecord?id=CVE-2024-29868
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.