CVE-2018-21246
published 2020-06-15CVE-2018-21246: Caddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an authentication bypass caused by the lack of the StrictHostMatching mode.
PriorityP357critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.72%
84.2th percentile
Caddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an authentication bypass caused by the lack of the StrictHostMatching mode.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| caddyserver | caddy | < 0.10.3 | 0.10.3 |
| debian | caddy | — | — |
| github.com | caddyserver_caddy | >= 0 < 0.10.13 | 0.10.13 |
| github.com | mholt_caddy | >= 0 < 0.10.13 | 0.10.13 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_debian9.8LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Caddy vulnerable to Authentication Bypass due to mishandling of TLS client authentication
ghsa·2022-10-06
CVE-2018-21246 [CRITICAL] CWE-287 Caddy vulnerable to Authentication Bypass due to mishandling of TLS client authentication
Caddy vulnerable to Authentication Bypass due to mishandling of TLS client authentication
Caddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an authentication bypass caused by the lack of the StrictHostMatching mode.
OSV
Caddy vulnerable to Authentication Bypass due to mishandling of TLS client authentication
osv·2022-10-06
CVE-2018-21246 [CRITICAL] Caddy vulnerable to Authentication Bypass due to mishandling of TLS client authentication
Caddy vulnerable to Authentication Bypass due to mishandling of TLS client authentication
Caddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an authentication bypass caused by the lack of the StrictHostMatching mode.
OSV
Authentication bypass in github.com/mholt/caddy
osv·2021-04-14
CVE-2018-21246 Authentication bypass in github.com/mholt/caddy
Authentication bypass in github.com/mholt/caddy
Due to improper TLS verification when serving traffic for multiple SNIs, an attacker may bypass TLS client authentication by indicating an SNI during the TLS handshake that is different from the name in the HTTP Host header.
Debian
CVE-2018-21246: caddy - Caddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an...
vendor_debian·2018·CVSS 9.8
CVE-2018-21246 [CRITICAL] CVE-2018-21246: caddy - Caddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an...
Caddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an authentication bypass caused by the lack of the StrictHostMatching mode.
Scope: local
bookworm: resolved
sid: resolved
trixie: resolved
No detection rules found.
No public exploits indexed.
2020-06-15
Published