Insecure Randomness Affecting github.com/greenpau/go-authcrunch/pkg/identity package, versions <1.0.42


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.05% (18th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Insecure Randomness vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-GOLANG-GITHUBCOMGREENPAUGOAUTHCRUNCHPKGIDENTITY-7897570
  • published5 Sept 2024
  • disclosed18 Sept 2023
  • creditMaciej Domanski, Travis Peters, David Pokora

Introduced: 18 Sep 2023

CVE-2024-21495  (opens in a new tab)
CWE-330  (opens in a new tab)
First added by Snyk

How to fix?

Upgrade github.com/greenpau/go-authcrunch/pkg/identity to version 1.0.42 or higher.

Overview

Affected versions of this package are vulnerable to Insecure Randomness due to using an insecure random number generation library which could possibly be predicted via a brute-force search. Attackers could use the potentially predictable nonce value used for authentication purposes in the OAuth flow to conduct OAuth replay attacks. In addition, insecure randomness is used while generating multifactor authentication (MFA) secrets and creating API keys in the database package.

CVSS Scores

version 3.1