CVE-2018-21246 — Improper Authentication in Caddyserver Caddy

CWE-287 — Improper Authentication7 documents6 sources

Severity

9.8CRITICALNVD

EPSS

1.4%

top 19.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Caddyserver Caddy Github.com Mholt Caddy Caddyserver Caddy

Timeline

PublishedJun 15

Latest updateOct 6

Description

Caddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an authentication bypass caused by the lack of the StrictHostMatching mode.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDcaddyserver/caddy< 0.10.3

▶Gogithub.com/mholt_caddy< 0.10.13

▶Gogithub.com/caddyserver_caddy< 0.10.13

🔴Vulnerability Details

GHSA

Caddy vulnerable to Authentication Bypass due to mishandling of TLS client authentication↗2022-10-06

▶

OSV

Caddy vulnerable to Authentication Bypass due to mishandling of TLS client authentication↗2022-10-06

▶

OSV

Authentication bypass in github.com/mholt/caddy↗2021-04-14

▶

CVEList

CVE-2018-21246: Caddy before 0↗2020-06-15

▶

📋Vendor Advisories

Debian

CVE-2018-21246: caddy - Caddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an...↗2018

▶

💬Community

Bugzilla

CVE-2018-21246 caddy: Does not have tls StrictHostMatching mode enabled which could result in client auth bypass↗2020-05-05

▶