Insecure Randomness in Caddy Security Could Lead to OAuth Replay Attacks and MFA Secret Exposure
CVE-2024-21495

9.8CRITICAL

Key Information:

Vendor

github.com/greenpau/caddy-security

Status
Github.com/greenpau/caddy-security
Vendor
CVE Published:
17 February 2024

What is CVE-2024-21495?

The Caddy Security package by Greenpau before version 1.0.42 introduces vulnerabilities due to the use of an insecure random number generation library. Attackers could exploit predictable nonce values used in the OAuth authentication flow, making it possible to conduct OAuth replay attacks. Furthermore, the insecure randomness also affects the generation of multifactor authentication (MFA) secrets and API keys stored in the database, potentially compromising the security of users and their authentication processes.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

github.com/greenpau/caddy-security 0 < 1.0.42

References

https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENP...
https://github.com/greenpau/go-authcrunch/commit/ecd3725b...
https://blog.trailofbits.com/2023/09/18/security-flaws-in...

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Maciej Domanski
Travis Peters
David Pokora
JSON
.