CVE-2024-29868
Published: 24 June 2024
Summary
CVE-2024-29868 is a critical-severity PRNG (CWE-338) vulnerability in Apache Streampipes. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-29868 is a Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability, tracked under CWE-338, that affects the user self-registration and password recovery mechanisms in Apache StreamPipes versions 0.69.0 through 0.93.0. The flaw stems from insufficient randomness in token generation, enabling predictable values that undermine the security of account recovery flows.
An unauthenticated remote attacker can exploit the issue over the network with low complexity to guess a valid recovery token within a feasible timeframe, allowing full takeover of the targeted user account and resulting in high impacts to confidentiality and integrity.
Apache advisories direct users to upgrade immediately to version 0.95.0, which resolves the weak PRNG implementation in the affected components. The associated references, including the Apache StreamPipes mailing list announcement and the oss-security disclosure, reiterate this remediation path without additional configuration changes.
The EPSS score stands at a current and peak value of 0.8191, indicating sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2019
Vulnerability details
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism. This allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account.…
more
This issue affects Apache StreamPipes: from 0.69.0 through 0.93.0. Users are recommended to upgrade to version 0.95.0, which fixes the issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Security associations share details on cryptographically weak PRNGs, helping avoid their implementation in security-critical functions.
Cryptographic key management standards require cryptographically strong PRNGs for key material, blocking use of weak generators.