Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-28923 — Open Redirect in Caddyserver Caddy V2

CWE-601 — Open Redirect9 documents7 sources

Severity

6.1MEDIUMNVD

EPSS

2.9%

top 13.61%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Caddyserver Caddy Github.com Caddyserver Caddy V2

Timeline

PublishedFeb 6

Latest updateFeb 16

Description

Caddy v2.4.6 was discovered to contain an open redirection vulnerability which allows attackers to redirect users to phishing websites via crafted URLs.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶Gogithub.com/caddyserver_caddy_v2< 2.5.0-beta.1

▶Debiancaddyserver/caddy< 2.5.2-1+1

▶NVDcaddyserver/caddy2.4.6

Patches

Patch: lednerb.de ↗Patch: lednerb.de ↗

🔴Vulnerability Details

OSV

Open redirect in github.com/caddyserver/caddy/v2↗2023-02-16

▶

GHSA

Open Redirect in Caddy↗2023-02-07

▶

OSV

Open Redirect in Caddy↗2023-02-07

▶

CVEList

CVE-2022-28923: Caddy v2↗2023-02-06

▶

OSV

CVE-2022-28923: Caddy v2↗2023-02-06

▶

💥Exploits & PoCs

Nuclei

Caddy 2.4.6 - Open Redirect

▶

📋Vendor Advisories

Red Hat

caddy: an open redirection vulnerability which allows attackers to redirect users to phishing websites via crafted URLs↗2023-02-07

▶

Debian

CVE-2022-28923: caddy - Caddy v2.4.6 was discovered to contain an open redirection vulnerability which a...↗2022

▶