oss-security - CVE-2024-30471: Apache StreamPipes: Potential creation of multiple identical accounts

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <f30bb525-c054-fb1a-b814-001b450d74cd@apache.org>
Date: Tue, 16 Jul 2024 19:00:49 +0000
From: Dominik Riemer <riemer@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2024-30471: Apache StreamPipes: Potential creation of multiple
 identical accounts 

Severity: moderate

Affected versions:

- Apache StreamPipes through 0.93.0

Description:

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache StreamPipes in user self-registration.
This allows an attacker to potentially request the creation of multiple accounts with the same email address until the email address is registered, creating many identical users and corrupting StreamPipe's user management.
This issue affects Apache StreamPipes: through 0.93.0.

Users are recommended to upgrade to version 0.95.0, which fixes the issue.

Credit:

TonyNT from VNPT-NET (finder)

References:

https://streampipes.apache.org
https://www.cve.org/CVERecord?id=CVE-2024-30471

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.