CVE-2024-21495 Information

Feb 18, 2024 cve

Description

Versions of the package github.com/greenpau/caddy-security before 1.0.42 are vulnerable to Insecure Randomness due to using an insecure random number generation library which could possibly be predicted via a brute-force search. Attackers could use the potentially predictable nonce value used for authentication purposes in the OAuth flow to conduct OAuth replay attacks. In addition insecure randomness is used while generating multifactor authentication (MFA) secrets and creating API keys in the database package.

Reference

https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6248275 https://github.com/greenpau/go-authcrunch/commit/ecd3725baf2683eb1519bb3c81ae41085fbf7dc2 https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/ https://github.com/greenpau/caddy-security/issues/265

Share on: