How severe is CVE-2024-42475?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.5 out of 10.

What type of vulnerability is CVE-2024-42475?

This is classified as CWE-330, which is a common weakness in software security.

CVE-2024-42475

MEDIUM Year: 2024

CVSS v3 Score

6.5

Medium

Weakness Type

CWE-330

View all →

Vulnerability Description

In the OAuth library for nim prior to version 0.11, the `state` values generated by the `generateState` function do not have sufficient entropy. These can be successfully guessed by an attacker allowing them to perform a CSRF vs a user, associating the user's session with the attacker's protected resources. While `state` isn't exactly a cryptographic value, it should be generated in a cryptographically secure way. `generateState` should be using a CSPRNG. Version 0.11 modifies the `generateState` function to generate `state` values of at least 128 bits of entropy while using a CSPRNG.

CVE-2017-17910

MEDIUM

CVSS:6.5(Medium)

On Hoermann BiSecur devices before 2018, a vulnerability can be exploited by recording a single radio transmission. An attacker can intercept an arbitrary radio frame exchanged between a BiSecur trans...

CWE-3302017

CVE-2018-1279

MEDIUM

CVSS:6.5(Medium)

Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain informat...

CWE-3302018

CVE-2018-18425

MEDIUM

CVSS:6.5(Medium)

The doAirdrop function of a smart contract implementation for Primeo (PEO), an Ethereum token, does not check the numerical relationship between the amount of the air drop and the token's total supply...

CWE-3302018

CVE-2018-19983

MEDIUM

CVSS:6.5(Medium)

An issue was discovered on Sigma Design Z-Wave S0 through S2 devices. An attacker first prepares a Z-Wave frame-transmission program (e.g., Z-Wave PC Controller, OpenZWave, CC1110, etc.). Next, the at...

CWE-3302018

CVE-2019-6821

MEDIUM

CVSS:6.5(Medium)

CWE-330: Use of Insufficiently Random Values vulnerability, which could cause the hijacking of the TCP connection when using Ethernet communication in Modicon M580 firmware versions prior to V2.30, an...

CWE-3302019

CVE-2019-9102

MEDIUM

CVSS:6.5(Medium)

An issue was discovered on Moxa MGate MB3170 and MB3270 devices before 4.1, MB3280 and MB3480 devices before 3.1, MB3660 devices before 2.3, and MB3180 devices before 2.1. A predictable mechanism of g...

CWE-3302019

CVE-2024-42475

Vulnerability Description

Related Vulnerabilities

CVE-2017-17910

CVE-2018-1279

CVE-2018-18425

CVE-2018-19983

CVE-2019-6821

CVE-2019-9102