reports/GO-2020-0043.yaml - vulndb - Git at Google

 module: github.com/mholt/caddy
 package: github.com/mholt/caddy/caddyhttp/httpserver
 versions:
 - fixed: v0.10.13
 description: |
   Where the server is listening for multiple SNI names an attacker can
   complete a TLS handshake for a host name that does not require TLS
   client authentication and then send HTTP requests for a host name that
   does require TLS client authentication, thereby bypassing those checks.
 published: 2021-04-14T12:00:00Z
 cve: CVE-2018-21246
 symbols:
 - httpContext.MakeServers
 - Server.serveHTTP
 - assertConfigsCompatible
 links:
   pr: https://github.com/caddyserver/caddy/pull/2099
   commit: https://github.com/caddyserver/caddy/commit/4d9ee000c8d2cbcdd8284007c1e0f2da7bc3c7c3
   context:
   - https://bugs.gentoo.org/715214
	module: github.com/mholt/caddy
	package: github.com/mholt/caddy/caddyhttp/httpserver
	versions:
	- fixed: v0.10.13
	description: \|
	Where the server is listening for multiple SNI names an attacker can
	complete a TLS handshake for a host name that does not require TLS
	client authentication and then send HTTP requests for a host name that
	does require TLS client authentication, thereby bypassing those checks.
	published: 2021-04-14T12:00:00Z
	cve: CVE-2018-21246
	symbols:
	- httpContext.MakeServers
	- Server.serveHTTP
	- assertConfigsCompatible
	links:
	pr: https://github.com/caddyserver/caddy/pull/2099
	commit: https://github.com/caddyserver/caddy/commit/4d9ee000c8d2cbcdd8284007c1e0f2da7bc3c7c3
	context:
	- https://bugs.gentoo.org/715214