| module: github.com/mholt/caddy |
| package: github.com/mholt/caddy/caddyhttp/httpserver |
| versions: |
| - fixed: v0.10.13 |
| description: | |
| Where the server is listening for multiple SNI names an attacker can |
| complete a TLS handshake for a host name that does not require TLS |
| client authentication and then send HTTP requests for a host name that |
| does require TLS client authentication, thereby bypassing those checks. |
| published: 2021-04-14T12:00:00Z |
| cve: CVE-2018-21246 |
| symbols: |
| - httpContext.MakeServers |
| - Server.serveHTTP |
| - assertConfigsCompatible |
| links: |
| pr: https://github.com/caddyserver/caddy/pull/2099 |
| commit: https://github.com/caddyserver/caddy/commit/4d9ee000c8d2cbcdd8284007c1e0f2da7bc3c7c3 |
| context: |
| - https://bugs.gentoo.org/715214 |