GO-2020-0043

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2020-0043

Import Source

https://vuln.go.dev/ID/GO-2020-0043.json

JSON Data

https://api.test.osv.dev/v1/vulns/GO-2020-0043

Aliases

Published

2021-04-14T20:04:52Z

Modified

2024-05-20T16:03:47Z

Summary

Authentication bypass in github.com/mholt/caddy

Details

Due to improper TLS verification when serving traffic for multiple SNIs, an attacker may bypass TLS client authentication by indicating an SNI during the TLS handshake that is different from the name in the HTTP Host header.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2020-0043"
}

References

Affected packages

Go / github.com/mholt/caddy

Package

Name: github.com/mholt/caddy; View open source insights on deps.dev
Purl: pkg:golang/github.com/mholt/caddy

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.10.13

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/mholt/caddy/caddyhttp/httpserver",
            "symbols": [
                "Server.serveHTTP",
                "assertConfigsCompatible",
                "httpContext.MakeServers"
            ]
        }
    ]
}