Fluid Attacks Database

Description

Open Redirect in Caddy Caddy v2.4.6 was discovered to contain an open redirection vulnerability which allows attackers to redirect users to phishing websites via crafted URLs

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/caddyserver/caddy	=2.4.6	2.5.0
go	github.com/caddyserver/caddy/v2	>=0 <2.5.0-beta.1	2.5.0-beta.1
debian 13	caddy	>=0 <2.5.2-1	2.5.2-1
debian 12	caddy	>=0 <2.5.2-1	2.5.2-1
debian 14	caddy	>=0 <2.5.2-1	2.5.2-1

Aliases

1. CVE-2022-289232. NVD-2022-289233. OSV-2022-289234. OSV-DEBIAN-2022-289235. GCVE-2022-289236. SECURITY-TRACKER-CVE-2022-28923

References

1. https://lednerb.de/en/publications/responsible-disclosure/caddy-open-redirect-vulnerability/2. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-28923.yaml3. https://github.com/caddyserver/caddy/commit/78b5356f2b1945a90de1ef7f2c7669d82098edbd4. https://lednerb.de/en/publications/responsible-disclosure/caddy-open-redirect-vulnerability5. https://pkg.go.dev/vuln/GO-2023-1567