Skip to content
Nuclei Templates

Apache StreamPipes <= 0.93.0 - Use of Cryptographically Weak PRNG in Recovery Token Generation

ID: CVE-2024-29868

Severity: critical

Author: Alessandro Albani - DEVisions

Tags: cve,cve2024,apache,streampipes,account-takeover

Description

Section titled “Description”

Apache StreamPipes from version 0.69.0 through 0.93.0 uses a cryptographically weak Pseudo-Random Number Generator (PRNG) in the recovery token generation mechanism. Given a valid token it’s possible to predict all past and future generated tokens.

YAML Source

Section titled “YAML Source”
id: CVE-2024-29868


info:
  name: Apache StreamPipes <= 0.93.0 - Use of Cryptographically Weak PRNG in Recovery Token Generation
  author: Alessandro Albani - DEVisions
  severity: critical
  description: |
    Apache StreamPipes from version 0.69.0 through 0.93.0 uses a cryptographically weak Pseudo-Random Number Generator (PRNG) in the recovery token generation mechanism. Given a valid token it's possible to predict all past and future generated tokens.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to take over user accounts.
  remediation: |
    Update to Apache StreamPipes 0.95.0 or later.
  reference:
    - https://labs.yarix.com/2024/06/cve-2024-29868
    - https://www.cve.org/CVERecord?id=CVE-2024-29868
    - https://lists.apache.org/thread/g7t7zctvq2fysrw1x17flnc12592nhx7
    - https://nvd.nist.gov/vuln/detail/CVE-2024-29868
  classification:
    cve-id: CVE-2024-29868
    cwe-id: CWE-338
    cpe: cpe:2.3:a:apache:streampipes:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    shodan-query: http.title:"apache streampipes"
    fofa-query: title="apache streampipes"
    product: streampipes
    vendor: apache
  tags: cve,cve2024,apache,streampipes,account-takeover


flow: http(1) && http(2)


http:
  - method: GET
    path:
      - '{{BaseURL}}/streampipes-backend/api/v2/auth/settings'
    headers:
      User-Agent: "{{randstr}}"


    extractors:
      - type: json
        part: body
        name: settings
        group: 1
        json:
          - 'if .allowPasswordRecovery==true and .allowSelfRegistration==true then true else false end'
        internal: true


  - method: GET
    path:
      - '{{BaseURL}}/streampipes-backend/api/openapi.json'
    headers:
      User-Agent: "{{randstr}}"


    extractors:
      - type: json
        part: body
        name: version
        group: 1
        json:
          - '.info.version'
        internal: true


    matchers:
      - type: dsl
        dsl:
          - 'contains(settings, true)'
          - "compare_versions(version, '>= 0.69.0') && compare_versions(version, '<= 0.93.0')"
        condition: and
# digest: 4a0a00473045022100fba16dc5a7e0e1c703f73632d6bf3d0458b19bb1f468fdea390a6f3f885594f902200a6475644461a80a89369a00871a64bc8106ce2428a69f3f11a3c6eb3b1ea8ab:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-29868.yaml"

View on Github