id: CVE-2024-29868 info: name: Apache StreamPipes <= 0.93.0 - Use of Cryptographically Weak PRNG in Recovery Token Generation author: Alessandro Albani - DEVisions severity: critical description: | Apache StreamPipes from version 0.69.0 through 0.93.0 uses a cryptographically weak Pseudo-Random Number Generator (PRNG) in the recovery token generation mechanism. Given a valid token it's possible to predict all past and future generated tokens. impact: | Successful exploitation of this vulnerability could allow an attacker to take over user accounts. remediation: | Update to Apache StreamPipes 0.95.0 or later. reference: - https://labs.yarix.com/2024/06/cve-2024-29868 - https://www.cve.org/CVERecord?id=CVE-2024-29868 - https://lists.apache.org/thread/g7t7zctvq2fysrw1x17flnc12592nhx7 - https://nvd.nist.gov/vuln/detail/CVE-2024-29868 classification: cve-id: CVE-2024-29868 cwe-id: CWE-338 cpe: cpe:2.3:a:apache:streampipes:*:*:*:*:*:*:*:* metadata: max-request: 2 shodan-query: http.title:"apache streampipes" fofa-query: title="apache streampipes" product: streampipes vendor: apache tags: cve,cve2024,apache,streampipes,account-takeover flow: http(1) && http(2) http: - method: GET path: - '{{BaseURL}}/streampipes-backend/api/v2/auth/settings' headers: User-Agent: "{{randstr}}" extractors: - type: json part: body name: settings group: 1 json: - 'if .allowPasswordRecovery==true and .allowSelfRegistration==true then true else false end' internal: true - method: GET path: - '{{BaseURL}}/streampipes-backend/api/openapi.json' headers: User-Agent: "{{randstr}}" extractors: - type: json part: body name: version group: 1 json: - '.info.version' internal: true matchers: - type: dsl dsl: - 'contains(settings, true)' - "compare_versions(version, '>= 0.69.0') && compare_versions(version, '<= 0.93.0')" condition: and # digest: 4a0a0047304502200acd51d743c92616247661520d6bcd7c399edfe946701791f72c475a0e1b77360221008c5a8e2a0c05e72a64379d0c3de7f7ea516236c3705e3decfdc5141b05e0bc18:922c64590222798bb761d5b6d8e72950