data/reports/GO-2020-0043.yaml - vulndb - Git at Google

 modules:
   - module: github.com/mholt/caddy
     versions:
       - fixed: 0.10.13
     packages:
       - package: github.com/mholt/caddy/caddyhttp/httpserver
         symbols:
           - httpContext.MakeServers
           - Server.serveHTTP
           - assertConfigsCompatible
 description: |
     Due to improper TLS verification when serving traffic for multiple
     SNIs, an attacker may bypass TLS client authentication by indicating
     an SNI during the TLS handshake that is different from the name in
     the HTTP Host header.
 published: 2021-04-14T20:04:52Z
 cves:
   - CVE-2018-21246
 ghsas:
   - GHSA-gr7w-x2jp-3xgw
 references:
   - fix: https://github.com/caddyserver/caddy/pull/2099
   - fix: https://github.com/caddyserver/caddy/commit/4d9ee000c8d2cbcdd8284007c1e0f2da7bc3c7c3
   - web: https://bugs.gentoo.org/715214
	modules:
	- module: github.com/mholt/caddy
	versions:
	- fixed: 0.10.13
	packages:
	- package: github.com/mholt/caddy/caddyhttp/httpserver
	symbols:
	- httpContext.MakeServers
	- Server.serveHTTP
	- assertConfigsCompatible
	description: \|
	Due to improper TLS verification when serving traffic for multiple
	SNIs, an attacker may bypass TLS client authentication by indicating
	an SNI during the TLS handshake that is different from the name in
	the HTTP Host header.
	published: 2021-04-14T20:04:52Z
	cves:
	- CVE-2018-21246
	ghsas:
	- GHSA-gr7w-x2jp-3xgw
	references:
	- fix: https://github.com/caddyserver/caddy/pull/2099
	- fix: https://github.com/caddyserver/caddy/commit/4d9ee000c8d2cbcdd8284007c1e0f2da7bc3c7c3
	- web: https://bugs.gentoo.org/715214