CVE-2024-29868— Apache StreamPipes, Apache StreamPipes: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Recovery Token Generation
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-29868
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Apache StreamPipes, Apache StreamPipes: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Recovery Token Generation
Source: NVD (National Vulnerability Database)
Vulnerability Description
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism. This allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account. This issue affects Apache StreamPipes: from 0.69.0 through 0.93.0. Users are recommended to upgrade to version 0.95.0, which fixes the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
使用具有密码学弱点缺陷的PRNG
Source: NVD (National Vulnerability Database)
Vulnerability Title
Apache StreamPipes 安全特征问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Apache StreamPipes是美国阿帕奇(Apache)基金会的一个自助式(工业)物联网工具箱,使非技术用户能够连接、分析和探索 IIoT 数据流。 Apache StreamPipes 0.69.0版本到0.93.0版本存在安全特征问题漏洞,该漏洞源于存在加密弱伪随机数生成器(PRNG)漏洞,允许攻击者在合理的时间内猜出恢复令牌,从而接管受攻击用户的帐户。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Apache Software Foundation | Apache StreamPipes | 0.69.0 ~ 0.93.0 | - | |
| Apache Software Foundation | Apache StreamPipes | 0.69.0 ~ 0.93.0 | - |
II. Public POCs for CVE-2024-29868
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | Proof of concept of CVE-2024-29868 affecting Apache StreamPipes from 0.69.0 through 0.93.0 | https://github.com/DEVisions/CVE-2024-29868 | POC Details |
| 2 | Apache StreamPipes from version 0.69.0 through 0.93.0 uses a cryptographically weak Pseudo-Random Number Generator (PRNG) in the recovery token generation mechanism. Given a valid token it's possible to predict all past and future generated tokens. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-29868.yaml | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-29868
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: Apache StreamPipes
- CVE-2025-47411
Apache StreamPipes: Leverage of User ID for Privilege Escala - CVE-2024-24778
Apache StreamPipes: Resources Permission Escalation - CVE-2024-31411
Apache StreamPipes: Potential remote code execution (RCE) vi - CVE-2024-31979
Apache StreamPipes: Possibility of SSRF in pipeline element - CVE-2024-30471
Apache StreamPipes: Potential creation of multiple identical
Same vendor: Apache Software Foundation
- CVE-2026-39816
Apache NiFi: Missing Execute Code Required Permission on Tin - CVE-2026-25199
Apache CloudStack: Proxmox Extension Allows Unauthorized Cro - CVE-2026-25077
Apache CloudStack: Unauthenticated Command Injection in Dire - CVE-2025-69233
Apache CloudStack: Domain/account resources limits not honor - CVE-2025-66467
Apache CloudStack: MinIO policy remains intact on bucket del
Same weakness: CWE-338
- CVE-2026-6659
Crypt::PasswdMD5 versions through 1.42 for Perl generates in - CVE-2026-41505
RELATE: Predictable Token Generation in auth.py and exam.py - CVE-2026-40514
SmarterTools SmarterMail < Build 9610 Cryptographic Weakness - CVE-2026-5088
Apache::API::Password versions through 0.5.2 for Perl can ge - CVE-2026-25726
Cloudreve is vulnerable to Account Takeover via Weak Cryptog
V. Comments for CVE-2024-29868
No comments yet