CVE-2024-21495 MEDIUM

CVE-2024-21495

Vendor N/A
Product github.com/greenpau/caddy-security
Weakness CWE-330 · Insufficient randomness
Published February 17, 2024
Last update September 5, 2024

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P

What the vulnerability does

01Description

Versions of the package github.com/greenpau/caddy-security before 1.0.42 are vulnerable to Insecure Randomness due to using an insecure random number generation library which could possibly be predicted via a brute-force search. Attackers could use the potentially predictable nonce value used for authentication purposes in the OAuth flow to conduct OAuth replay attacks. In addition, insecure randomness is used while generating multifactor authentication (MFA) secrets and creating API keys in the database package.

Key dates

02Disclosure timeline

February 17, 2024 CVE published
September 5, 2024 Record updated