Use of Insufficiently Random Values in github.com/greenpau/caddy-security
Moderate severity
GitHub Reviewed
Published
Feb 17, 2024
to the GitHub Advisory Database
•
Updated Feb 20, 2024
Package
Affected versions
<= 1.0.42
Patched versions
None
Description
Published by the National Vulnerability Database
Feb 17, 2024
Published to the GitHub Advisory Database
Feb 17, 2024
Reviewed
Feb 20, 2024
Last updated
Feb 20, 2024
Versions of the package github.com/greenpau/caddy-security before 1.0.42 are vulnerable to Insecure Randomness due to using an insecure random number generation library which could possibly be predicted via a brute-force search. Attackers could use the potentially predictable nonce value used for authentication purposes in the OAuth flow to conduct OAuth replay attacks. In addition, insecure randomness is used while generating multifactor authentication (MFA) secrets and creating API keys in the database package.
References