GHSA-gr7w-x2jp-3xgw

Suggest an improvement
Source
https://github.com/advisories/GHSA-gr7w-x2jp-3xgw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-gr7w-x2jp-3xgw/GHSA-gr7w-x2jp-3xgw.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-gr7w-x2jp-3xgw
Aliases
Published
2022-10-06T22:58:56Z
Modified
2023-11-01T04:49:24.286044Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Caddy vulnerable to Authentication Bypass due to mishandling of TLS client authentication
Details

Caddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an authentication bypass caused by the lack of the StrictHostMatching mode.

Database specific
{
    "nvd_published_at": null,
    "github_reviewed_at": "2022-10-06T22:58:56Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-287"
    ]
}
References

Affected packages

Go / github.com/caddyserver/caddy

Package

Name
github.com/caddyserver/caddy
View open source insights on deps.dev
Purl
pkg:golang/github.com/caddyserver/caddy

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.10.13