Home > Vulnerability Database > CVE-2024-21495

Mend.io Vulnerability Database

CVE-2024-21495

Good to know:

Date: February 17, 2024

Versions of the package github.com/greenpau/caddy-security before 1.0.42 are vulnerable to Insecure Randomness due to using an insecure random number generation library which could possibly be predicted via a brute-force search. Attackers could use the potentially predictable nonce value used for authentication purposes in the OAuth flow to conduct OAuth replay attacks. In addition, insecure randomness is used while generating multifactor authentication (MFA) secrets and creating API keys in the database package.

Language: Go

Severity Score

6.5

Related Resources (8)

Url: https://github.com/greenpau/go-authcrunch/commit/ecd3725baf2683eb1519bb3c81ae41085fbf7dc2

Url: https://github.com/greenpau/caddy-security/issues/265

Url: https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy

Url: github.com/greenpau/caddy-security

Url: https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-21495

Url: https://github.com/advisories/GHSA-c7vf-m394-m4x4

Url: https://www.mend.io/vulnerability-database/CVE-2024-21495

Severity Score

6.5

Weakness Type (CWE)

Use of Insufficiently Random Values

CWE-330

Top Fix

Upgrade Version

Upgrade to version v1.0.42

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-21495

Good to know:

Date: February 17, 2024

Language: Go

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?