Moderate severityOSV Advisory· Published Feb 17, 2024· Updated Sep 5, 2024
CVE-2024-21495
CVE-2024-21495
Description
Versions of the package github.com/greenpau/caddy-security before 1.0.42 are vulnerable to Insecure Randomness due to using an insecure random number generation library which could possibly be predicted via a brute-force search. Attackers could use the potentially predictable nonce value used for authentication purposes in the OAuth flow to conduct OAuth replay attacks. In addition, insecure randomness is used while generating multifactor authentication (MFA) secrets and creating API keys in the database package.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/greenpau/caddy-securityGo | <= 1.0.42 | — |
Affected products
2- Range: v1.0.10, v1.0.11, v1.0.12, …
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-c7vf-m394-m4x4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-21495ghsaADVISORY
- github.com/greenpau/caddy-securityghsaPACKAGE
- blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddyghsaWEB
- github.com/greenpau/caddy-security/issues/265ghsaWEB
- github.com/greenpau/go-authcrunch/commit/ecd3725baf2683eb1519bb3c81ae41085fbf7dc2ghsaWEB
- security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6248275ghsaWEB
- blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/mitre
News mentions
0No linked articles in our index yet.