CVE-2018-21246 – github.com/caddyserver/caddy

Package

Manager: go
Name: github.com/caddyserver/caddy
Vulnerable Version: >=0 <0.10.13

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00669 pctl0.70427

Details

Caddy vulnerable to Authentication Bypass due to mishandling of TLS client authentication Caddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an authentication bypass caused by the lack of the StrictHostMatching mode.

Metadata

Created: 2022-10-06T22:58:56Z
Modified: 2022-10-06T22:58:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-gr7w-x2jp-3xgw/GHSA-gr7w-x2jp-3xgw.json
CWE IDs: ["CWE-287"]
Alternative ID: GHSA-gr7w-x2jp-3xgw
Finding: F006
Auto approve: 1