| module: github.com/mholt/caddy |
| package: github.com/mholt/caddy/caddyhttp/httpserver |
| versions: |
| - fixed: v0.10.13 |
| description: | |
| Due to improper TLS verification when serving traffic for multiple |
| SNIs, an attacker may bypass TLS client authentication by indicating |
| an SNI during the TLS handshake that is different from the name in |
| the HTTP Host header. |
| published: 2021-04-14T12:00:00Z |
| cve: CVE-2018-21246 |
| symbols: |
| - httpContext.MakeServers |
| - Server.serveHTTP |
| - assertConfigsCompatible |
| links: |
| pr: https://github.com/caddyserver/caddy/pull/2099 |
| commit: https://github.com/caddyserver/caddy/commit/4d9ee000c8d2cbcdd8284007c1e0f2da7bc3c7c3 |
| context: |
| - https://bugs.gentoo.org/715214 |