{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-12T12:56:04.455","vulnerabilities":[{"cve":{"id":"CVE-2024-42475","sourceIdentifier":"security-advisories@github.com","published":"2024-08-15T19:15:19.520","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"In the OAuth library for nim prior to version 0.11, the `state` values generated by the `generateState` function do not have sufficient entropy. These can be successfully guessed by an attacker allowing them to perform a CSRF vs a user, associating the user's session with the attacker's protected resources. While `state` isn't exactly a cryptographic value, it should be generated in a cryptographically secure way. `generateState` should be using a CSPRNG. Version 0.11 modifies the `generateState` function to generate `state` values of at least 128 bits of entropy while using a CSPRNG."},{"lang":"es","value":"En la librería OAuth para nim anterior a la versión 0.11, los valores de \"state\" generados por la función \"generateState\" no tienen suficiente entropía. Un atacante puede adivinarlos con éxito, permitiéndole realizar un CSRF frente a un usuario, asociando la sesión del usuario con los recursos protegidos del atacante. Si bien \"state\" no es exactamente un valor criptográfico, debe generarse de forma criptográficamente segura. `generateState` debería usar un CSPRNG. La versión 0.11 modifica la función \"generateState\" para generar valores de \"state\" de al menos 128 bits de entropía mientras se usa un CSPRNG."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-330"},{"lang":"en","value":"CWE-352"}]}],"references":[{"url":"https://github.com/CORDEA/oauth/blob/b8c163b0d9cfad6d29ce8c1fb394e5f47182ee1c/src/oauth2.nim#L179","source":"security-advisories@github.com"},{"url":"https://github.com/CORDEA/oauth/security/advisories/GHSA-332c-q46h-fg8f","source":"security-advisories@github.com"}]}}]}