CVSS: 6.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31411 – Apache StreamPipes: Potential remote code execution (RCE) via file upload
https://notcve.org/view.php?id=CVE-2024-31411
Unrestricted Upload of File with dangerous type vulnerability in Apache StreamPipes. Such a dangerous type might be an executable file that may lead to a remote code execution (RCE). The unrestricted upload is only possible for authenticated and authorized users. This issue affects Apache StreamPipes: through 0.93.0. Users are recommended to upgrade to version 0.95.0, which fixes the issue. • https://lists.apache.org/thread/b0657okbwzg5xxs11hphvc9qrd9s70mt • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31979 – Apache StreamPipes: Possibility of SSRF in pipeline element installation process
https://notcve.org/view.php?id=CVE-2024-31979
Server-Side Request Forgery (SSRF) vulnerability in Apache StreamPipes during installation process of pipeline elements. Previously, StreamPipes allowed users to configure custom endpoints from which to install additional pipeline elements. These endpoints were not properly validated, allowing an attacker to get StreamPipes to send an HTTP GET request to an arbitrary address. This issue affects Apache StreamPipes: through 0.93.0. Users are recommended to upgrade to version 0.95.0, which fixes the issue. • https://lists.apache.org/thread/8lryp3bxnby9kmk13odkz2jbfdjfvf0y • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-30471 – Apache StreamPipes: Potential creation of multiple identical accounts
https://notcve.org/view.php?id=CVE-2024-30471
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache StreamPipes in user self-registration. This allows an attacker to potentially request the creation of multiple accounts with the same email address until the email address is registered, creating many identical users and corrupting StreamPipe's user management. This issue affects Apache StreamPipes: through 0.93.0. Users are recommended to upgrade to version 0.95.0, which fixes the issue. • https://lists.apache.org/thread/8yodrmohgcybq900or3d4hc1msl230fr • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 1CVE-2024-29868 – Apache StreamPipes, Apache StreamPipes: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Recovery Token Generation
https://notcve.org/view.php?id=CVE-2024-29868
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism. This allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account. This issue affects Apache StreamPipes: from 0.69.0 through 0.93.0. Users are recommended to upgrade to version 0.95.0, which fixes the issue. Uso de la vulnerabilidad del generador de números pseudoaleatorios (PRNG) criptográficamente débil en el mecanismo de autorregistro de usuarios y recuperación de contraseñas de Apache StreamPipes. Esto permite a un atacante adivinar el token de recuperación en un tiempo razonable y así hacerse cargo de la cuenta del usuario atacado. Este problema afecta a Apache StreamPipes: desde 0.69.0 hasta 0.93.0. Se recomienda a los usuarios actualizar a la versión 0.95.0, que soluciona el problema. • https://github.com/DEVisions/CVE-2024-29868 https://lists.apache.org/thread/g7t7zctvq2fysrw1x17flnc12592nhx7 • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) •