9.8

CVE-2024-21495

EPSS 0.13%
Veröffentlicht 17.02.2024 05:15:09
Zuletzt bearbeitet 19.02.2025 15:47:31
Quelle report@snyk.io
CVE-Watchlists
Login
Unerledigt
Login

Versions of the package github.com/greenpau/caddy-security before 1.0.42 are vulnerable to Insecure Randomness due to using an insecure random number generation library which could possibly be predicted via a brute-force search. Attackers could use the potentially predictable nonce value used for authentication purposes in the OAuth flow to conduct OAuth replay attacks. In addition, insecure randomness is used while generating multifactor authentication (MFA) secrets and creating API keys in the database package.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Greenpau ≫ Caddy-security Version < 1.0.42

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.13%	0.326

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
report@snyk.io	6.5	3.9	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-330 Use of Insufficiently Random Values

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/

Third Party Advisory

https://github.com/greenpau/caddy-security/issues/265

Issue Tracking

https://github.com/greenpau/go-authcrunch/commit/ecd3725baf2683eb1519bb3c81ae41085fbf7dc2

Patch

https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6248275

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-21495

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-21495

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-21495

EUVD