| id: GO-2020-0043 |
| modules: |
| - module: github.com/mholt/caddy |
| versions: |
| - fixed: 0.10.13 |
| vulnerable_at: 0.10.13-0.20180330123946-2966db7b7800 |
| packages: |
| - package: github.com/mholt/caddy/caddyhttp/httpserver |
| symbols: |
| - httpContext.MakeServers |
| - Server.serveHTTP |
| - assertConfigsCompatible |
| skip_fix: 'TODO: revisit this reason. (cannot find module providing package github.com/lucas-clemente/quic-go/h2quic)' |
| summary: Authentication bypass in github.com/mholt/caddy |
| description: |- |
| Due to improper TLS verification when serving traffic for multiple SNIs, an |
| attacker may bypass TLS client authentication by indicating an SNI during the |
| TLS handshake that is different from the name in the HTTP Host header. |
| published: 2021-04-14T20:04:52Z |
| cves: |
| - CVE-2018-21246 |
| ghsas: |
| - GHSA-gr7w-x2jp-3xgw |
| references: |
| - fix: https://github.com/caddyserver/caddy/pull/2099 |
| - fix: https://github.com/caddyserver/caddy/commit/4d9ee000c8d2cbcdd8284007c1e0f2da7bc3c7c3 |
| - web: https://bugs.gentoo.org/715214 |
