Apache StreamPipes: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Recovery Token Generation

2024-06-2412:30:38

Google

osv.dev

apache streampipes

cryptographically weak

recovery token

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

6.9 Medium

AI Score

Confidence

High

JSON

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism.
This allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user’s account.
This issue affects Apache StreamPipes: from 0.69.0 through 0.93.0.

Users are recommended to upgrade to version 0.95.0, which fixes the issue.

CPENameOperatorVersion
org.apache.streampipes:streampipes-resource-managementeq0.92.0
org.apache.streampipes:streampipes-resource-managementeq0.93.0
org.apache.streampipes:streampipes-resource-managementeq0.70.0
org.apache.streampipes:streampipes-resource-managementeq0.91.0
org.apache.streampipes:streampipes-resource-managementeq0.69.0
org.apache.streampipes:streampipes-resource-managementeq0.90.0

Name	Operator	Version
org.apache.streampipes:streampipes-resource-management	eq	0.92.0
org.apache.streampipes:streampipes-resource-management	eq	0.93.0
org.apache.streampipes:streampipes-resource-management	eq	0.70.0
org.apache.streampipes:streampipes-resource-management	eq	0.91.0
org.apache.streampipes:streampipes-resource-management	eq	0.69.0
org.apache.streampipes:streampipes-resource-management	eq	0.90.0