[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 22 Jun 2024 12:34:27 +0000
From: Dominik Riemer <riemer@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2024-29868: Apache StreamPipes, Apache StreamPipes: Use of
Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Recovery
Token Generation
Severity: important
Affected versions:
- Apache StreamPipes 0.69.0 through 0.93.0
- Apache StreamPipes 0.69.0 through 0.93.0
Description:
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism.
This allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account.
This issue affects Apache StreamPipes: from 0.69.0 through 0.93.0.
Users are recommended to upgrade to version 0.95.0, which fixes the issue.
Credit:
Alessandro Albani, Digital Security Division Var Group (finder)
References:
https://streampipes.apache.org
https://www.cve.org/CVERecord?id=CVE-2024-29868
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
