CVE-2024-29868 - Vulnerability Details - OpenCVE

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism. This allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account. This issue affects Apache StreamPipes: from 0.69.0 through 0.93.0. Users are recommended to upgrade to version 0.95.0, which fixes the issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Streampipes

Configuration 1 [-]

cpe:2.3:a:apache:streampipes:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2024/06/22/1
https://lists.apache.org/thread/g7t7zctvq2fysrw1x17flnc12592nhx7

History

Wed, 16 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.52878}`	epss `{'score': 0.60714}`

Tue, 15 Jul 2025 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache streampipes
CPEs		cpe:2.3:a:apache:streampipes::::::::
Vendors & Products		Apache Apache streampipes

Fri, 13 Sep 2024 17:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2024/06/22/1

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-06-24T09:59:39.941Z

Updated: 2024-09-13T16:03:11.423Z

Reserved: 2024-03-21T08:24:52.469Z

Link: CVE-2024-29868

Vulnrichment

Updated: 2024-09-13T16:03:11.423Z

NVD

Status : Analyzed

Published: 2024-06-24T10:15:09.387

Modified: 2025-07-15T15:39:09.700

Link: CVE-2024-29868

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-29868", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-03-21T08:24:52.469Z", "datePublished": "2024-06-24T09:59:39.941Z", "dateUpdated": "2024-09-13T16:03:11.423Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "streampipes-user-management", "product": "Apache StreamPipes", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "0.93.0", "status": "affected", "version": "0.69.0", "versionType": "maven"}]}, {"defaultStatus": "unaffected", "packageName": "streampipes-model", "product": "Apache StreamPipes", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "0.93.0", "status": "affected", "version": "0.69.0", "versionType": "maven"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Alessandro Albani, Digital Security Division Var Group"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes <span style=\"background-color: rgb(255, 255, 255);\">user self-registration and password recovery mechanism</span>.<br>This allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account.<br><p>This issue affects Apache StreamPipes: from 0.69.0 through 0.93.0.</p><p>Users are recommended to upgrade to version 0.95.0, which fixes the issue.</p>"}], "value": "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes\u00a0user self-registration and password recovery mechanism.\nThis allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account.\nThis issue affects Apache StreamPipes: from 0.69.0 through 0.93.0.\n\nUsers are recommended to upgrade to version 0.95.0, which fixes the issue.\n\n"}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-338", "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-06-24T09:59:39.941Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/g7t7zctvq2fysrw1x17flnc12592nhx7"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache StreamPipes, Apache StreamPipes: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Recovery Token Generation", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"affected": [{"vendor": "apache", "product": "streampipes", "cpes": ["cpe:2.3:a:apache:streampipes:0.69.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0.69.0", "status": "affected", "lessThan": "0.95.0", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-06-24T13:25:38.311777Z", "id": "CVE-2024-29868", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-24T13:27:04.364Z"}}, {"title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/g7t7zctvq2fysrw1x17flnc12592nhx7"}, {"url": "http://www.openwall.com/lists/oss-security/2024/06/22/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-09-13T16:03:11.423Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/g7t7zctvq2fysrw1x17flnc12592nhx7", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/06/22/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-09-13T16:03:11.423Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-29868", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-06-24T13:25:38.311777Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:apache:streampipes:0.69.0:*:*:*:*:*:*:*"], "vendor": "apache", "product": "streampipes", "versions": [{"status": "affected", "version": "0.69.0", "lessThan": "0.95.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-24T13:26:59.730Z"}}], "cna": {"title": "Apache StreamPipes, Apache StreamPipes: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Recovery Token Generation", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Alessandro Albani, Digital Security Division Var Group"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache StreamPipes", "versions": [{"status": "affected", "version": "0.69.0", "versionType": "maven", "lessThanOrEqual": "0.93.0"}], "packageName": "streampipes-user-management", "defaultStatus": "unaffected"}, {"vendor": "Apache Software Foundation", "product": "Apache StreamPipes", "versions": [{"status": "affected", "version": "0.69.0", "versionType": "maven", "lessThanOrEqual": "0.93.0"}], "packageName": "streampipes-model", "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/g7t7zctvq2fysrw1x17flnc12592nhx7", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes\u00a0user self-registration and password recovery mechanism.\nThis allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account.\nThis issue affects Apache StreamPipes: from 0.69.0 through 0.93.0.\n\nUsers are recommended to upgrade to version 0.95.0, which fixes the issue.\n\n", "supportingMedia": [{"type": "text/html", "value": "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes <span style=\"background-color: rgb(255, 255, 255);\">user self-registration and password recovery mechanism</span>.<br>This allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account.<br><p>This issue affects Apache StreamPipes: from 0.69.0 through 0.93.0.</p><p>Users are recommended to upgrade to version 0.95.0, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-338", "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-06-24T09:59:39.941Z"}}}, "cveMetadata": {"cveId": "CVE-2024-29868", "state": "PUBLISHED", "dateUpdated": "2024-09-13T16:03:11.423Z", "dateReserved": "2024-03-21T08:24:52.469Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2024-06-24T09:59:39.941Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:streampipes:*:*:*:*:*:*:*:*", "matchCriteriaId": "2B0251C7-A9CA-45C1-87F8-BD036467E074", "versionEndIncluding": "0.93.0", "versionStartIncluding": "0.69.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes\u00a0user self-registration and password recovery mechanism.\nThis allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account.\nThis issue affects Apache StreamPipes: from 0.69.0 through 0.93.0.\n\nUsers are recommended to upgrade to version 0.95.0, which fixes the issue.\n\n"}, {"lang": "es", "value": "Uso de la vulnerabilidad del generador de n\u00fameros pseudoaleatorios (PRNG) criptogr\u00e1ficamente d\u00e9bil en el mecanismo de autorregistro de usuarios y recuperaci\u00f3n de contrase\u00f1as de Apache StreamPipes. Esto permite a un atacante adivinar el token de recuperaci\u00f3n en un tiempo razonable y as\u00ed hacerse cargo de la cuenta del usuario atacado. Este problema afecta a Apache StreamPipes: desde 0.69.0 hasta 0.93.0. Se recomienda a los usuarios actualizar a la versi\u00f3n 0.95.0, que soluciona el problema."}], "id": "CVE-2024-29868", "lastModified": "2025-07-15T15:39:09.700", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-06-24T10:15:09.387", "references": [{"source": "[email protected]", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/g7t7zctvq2fysrw1x17flnc12592nhx7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2024/06/22/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/g7t7zctvq2fysrw1x17flnc12592nhx7"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-338"}], "source": "[email protected]", "type": "Secondary"}]}