Home > Vulnerability Database > CVE-2024-42475

Mend.io Vulnerability Database

CVE-2024-42475

Date: August 15, 2024

In the OAuth library for nim prior to version 0.11, the "state" values generated by the "generateState" function do not have sufficient entropy. These can be successfully guessed by an attacker allowing them to perform a CSRF vs a user, associating the user's session with the attacker's protected resources. While "state" isn't exactly a cryptographic value, it should be generated in a cryptographically secure way. "generateState" should be using a CSPRNG. Version 0.11 modifies the "generateState" function to generate "state" values of at least 128 bits of entropy while using a CSPRNG.

Language: NIM

Severity Score

6.5

Related Resources (4)

Url: https://github.com/CORDEA/oauth/security/advisories/GHSA-332c-q46h-fg8f

Url: https://github.com/CORDEA/oauth/blob/b8c163b0d9cfad6d29ce8c1fb394e5f47182ee1c/src/oauth2.nim#L179

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-42475

Url: https://www.mend.io/vulnerability-database/CVE-2024-42475

Severity Score

6.5

Weakness Type (CWE)

Cross-Site Request Forgery (CSRF)

CWE-352

Use of Insufficiently Random Values

CWE-330

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-42475

Date: August 15, 2024

Language: NIM

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?