CVE-2024-21495 — MEDIUM (6.5)

Q: How severe is CVE-2024-21495?

CVE-2024-21495 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-21495?

Check the references section above for vendor advisories and patch information. Affected products include: Greenpau Caddy-Security.

Vulnerability Description

Versions of the package github.com/greenpau/caddy-security before 1.0.42 are vulnerable to Insecure Randomness due to using an insecure random number generation library which could possibly be predicted via a brute-force search. Attackers could use the potentially predictable nonce value used for authentication purposes in the OAuth flow to conduct OAuth replay attacks. In addition, insecure randomness is used while generating multifactor authentication (MFA) secrets and creating API keys in the database package.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Greenpau	Caddy-Security	< 1.0.42

Related Weaknesses (CWE)

CWE-330

References

https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddThird Party Advisory
https://github.com/greenpau/caddy-security/issues/265Issue Tracking
https://github.com/greenpau/go-authcrunch/commit/ecd3725baf2683eb1519bb3c81ae410Patch
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6248275Third Party Advisory
https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddThird Party Advisory
https://github.com/greenpau/caddy-security/issues/265Issue Tracking
https://github.com/greenpau/go-authcrunch/commit/ecd3725baf2683eb1519bb3c81ae410Patch
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6248275Third Party Advisory

FAQ

What is CVE-2024-21495?

CVE-2024-21495 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Versions of the package github.com/greenpau/caddy-security before 1.0.42 are vulnerable to Insecure Randomness due to using an insecure random number generation library which could possibly be predict...

How severe is CVE-2024-21495?

CVE-2024-21495 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-21495?

Check the references section above for vendor advisories and patch information. Affected products include: Greenpau Caddy-Security.