Apache StreamPipes: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Recovery Token Generation
Critical severity
GitHub Reviewed
Published
Jun 24, 2024
to the GitHub Advisory Database
•
Updated Jul 3, 2024
Package
Affected versions
>= 0.69.0, < 0.95.0
Patched versions
0.95.0
Description
Published by the National Vulnerability Database
Jun 24, 2024
Published to the GitHub Advisory Database
Jun 24, 2024
Reviewed
Jul 1, 2024
Last updated
Jul 3, 2024
Credits
-
oscerd Analyst
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism.
This allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account.
This issue affects Apache StreamPipes: from 0.69.0 through 0.93.0.
Users are recommended to upgrade to version 0.95.0, which fixes the issue.
References