CVE-2024-21495

Name of the Vulnerable Software and Affected Versions: caddy-security versions prior to 1.0.42

Description: The issue is related to the use of insufficiently random values in the caddy-security plugin, which can be exploited by a remote attacker to conduct OAuth replay attacks and generate insecure multifactor authentication secrets and API keys in the database. The insecure random number generation library used by the plugin could possibly be predicted via a brute-force search, allowing attackers to use the potentially predictable nonce value for authentication purposes in the OAuth flow.

Recommendations: For versions prior to 1.0.42, update to version 1.0.42 or later to resolve the issue. As a temporary workaround, consider restricting access to the OAuth flow and multifactor authentication features until the update is applied. Additionally, avoid using the potentially predictable nonce value for authentication purposes and restrict the generation of API keys in the database package until the issue is resolved.