{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-11T07:34:46.996","vulnerabilities":[{"cve":{"id":"CVE-2024-21495","sourceIdentifier":"report@snyk.io","published":"2024-02-17T05:15:09.343","lastModified":"2025-02-26T19:02:05.847","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Versions of the package github.com/greenpau/caddy-security before 1.0.42 are vulnerable to Insecure Randomness due to using an insecure random number generation library which could possibly be predicted via a brute-force search. Attackers could use the potentially predictable nonce value used for authentication purposes in the OAuth flow to conduct OAuth replay attacks. In addition, insecure randomness is used while generating multifactor authentication (MFA) secrets and creating API keys in the database package."},{"lang":"es","value":"Las versiones del paquete github.com/greenpau/caddy-security anteriores a la 1.0.42 son vulnerables a la aleatoriedad insegura debido al uso de una librería de generación de números aleatorios insegura que posiblemente podría predecirse mediante una búsqueda de fuerza bruta. Los atacantes podrían utilizar el valor nonce potencialmente predecible utilizado con fines de autenticación en el flujo de OAuth para realizar ataques de reproducción de OAuth. Además, se utiliza aleatoriedad insegura al generar secretos de autenticación multifactor (MFA) y crear claves API en el paquete de base de datos."}],"metrics":{"cvssMetricV31":[{"source":"report@snyk.io","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":2.5},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"report@snyk.io","type":"Secondary","description":[{"lang":"en","value":"CWE-330"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-330"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:greenpau:caddy-security:*:*:*:*:*:*:*:*","versionEndExcluding":"1.0.42","matchCriteriaId":"9E38C1D1-8679-4D77-858C-E2DCDAC2440C"}]}]}],"references":[{"url":"https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/","source":"report@snyk.io","tags":["Third Party Advisory"]},{"url":"https://github.com/greenpau/caddy-security/issues/265","source":"report@snyk.io","tags":["Issue Tracking"]},{"url":"https://github.com/greenpau/go-authcrunch/commit/ecd3725baf2683eb1519bb3c81ae41085fbf7dc2","source":"report@snyk.io","tags":["Patch"]},{"url":"https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6248275","source":"report@snyk.io","tags":["Third Party Advisory"]},{"url":"https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://github.com/greenpau/caddy-security/issues/265","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Issue Tracking"]},{"url":"https://github.com/greenpau/go-authcrunch/commit/ecd3725baf2683eb1519bb3c81ae41085fbf7dc2","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6248275","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]}