CVE-2018-21246
CRITICAL9.8EPSS 1.4%Authentication bypass in github.com/mholt/caddy
Published: 10/6/2022Modified: 5/20/2024
Description
Due to improper TLS verification when serving traffic for multiple SNIs, an attacker may bypass TLS client authentication by indicating an SNI during the TLS handshake that is different from the name in the HTTP Host header.
Affected packages (2)
- Go/github.com/caddyserver/caddyfrom 0, < 0.10.13
- Go/github.com/mholt/caddyfrom 0, < 0.10.13
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-21246
- PATCHhttps://github.com/caddyserver/caddy
- WEBhttps://bugs.gentoo.org/715214
- WEBhttps://github.com/caddyserver/caddy/commit/4d9ee000c8d2cbcdd8284007c1e0f2da7bc3c7c3
- WEBhttps://github.com/caddyserver/caddy/pull/2099
- WEBhttps://github.com/caddyserver/caddy/releases/tag/v0.10.13
- WEBhttps://pkg.go.dev/vuln/GO-2020-0043