Описание
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism. This allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account. This issue affects Apache StreamPipes: from 0.69.0 through 0.93.0.
Users are recommended to upgrade to version 0.95.0, which fixes the issue.
Ссылки
- Mailing ListVendor Advisory
- Mailing ListThird Party Advisory
- Mailing ListVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 0.69.0 (включая) до 0.93.0 (включая)
cpe:2.3:a:apache:streampipes:*:*:*:*:*:*:*:*
EPSS
Процентиль: 99%
0.74201
Высокий
9.1 Critical
CVSS3
Дефекты
CWE-338
Связанные уязвимости
CVSS3: 9.1
github
больше 1 года назад
Apache StreamPipes: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Recovery Token Generation
EPSS
Процентиль: 99%
0.74201
Высокий
9.1 Critical
CVSS3
Дефекты
CWE-338