Insecure Randomness in Caddy Security Could Lead to OAuth Replay Attacks and MFA Secret Exposure
CVE-2024-21495

9.8CRITICAL

Key Information:

Vendor: github.com/greenpau/caddy-security
Status: Github.com/greenpau/caddy-security
Vendor: CVE Published:; 17 February 2024

🔔 Create github.com/greenpau/caddy-security Vulnerability Alert

What is CVE-2024-21495?

The Caddy Security package by Greenpau before version 1.0.42 introduces vulnerabilities due to the use of an insecure random number generation library. Attackers could exploit predictable nonce values used in the OAuth authentication flow, making it possible to conduct OAuth replay attacks. Furthermore, the insecure randomness also affects the generation of multifactor authentication (MFA) secrets and API keys stored in the database, potentially compromising the security of users and their authentication processes.

Affected Version(s)

github.com/greenpau/caddy-security 0 < 1.0.42

References

https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENP...

https://github.com/greenpau/go-authcrunch/commit/ecd3725b...

https://blog.trailofbits.com/2023/09/18/security-flaws-in...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 17, 2024
Vulnerability Reserved
Dec 22, 2023

Credit

Maciej Domanski

Travis Peters

David Pokora