6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-21495

GHSA ID

GHSA-c7vf-m394-m4x4

EPSS Score

0.32614%

CWE

CWE-330

Published

2/17/2024

Updated

2/20/2024

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-21495

CVE-2024-21495: Use of Insufficiently Random Values in github.com/greenpau/caddy-security

Versions of the package github.com/greenpau/caddy-security before 1.0.42 are vulnerable to Insecure Randomness due to using an insecure random number generation library which could possibly be predicted via a brute-force search. Attackers could use the potentially predictable nonce value used for authentication purposes in the OAuth flow to conduct OAuth replay attacks. In addition, insecure randomness is used while generating multifactor authentication (MFA) secrets and creating API keys in the database package.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-21495

CVE-2024-21495:

6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-21495

GHSA ID

GHSA-c7vf-m394-m4x4

EPSS Score

0.32614%

CWE

CWE-330

Published

2/17/2024

Updated

2/20/2024

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/greenpau/caddy-security	go	<= 1.0.42

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from using math/rand with time-based seeding in security contexts. The commit diff shows removal of pkg/identity/random.go which contained these insecure functions, replaced by crypto/rand in util/random.go. Functions like NewAPIKey and NewMfaToken directly consumed these insecure random generators for security-sensitive values (OAuth nonce, MFA secrets, API keys), as evidenced by code references in the Trail of Bits analysis and GitHub issue #265. The high confidence comes from explicit code changes in the commit and clear vulnerability patterns in the documented attack vectors.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-21495: Use of Insufficiently Random Values in github.com/greenpau/caddy-security

CVE-2024-21495:

6.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2024-21495: Use of Insufficiently Random Values in github.com/greenpau/caddy-security

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

6.5

6.5

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI