| modules: |
| - module: github.com/mholt/caddy |
| versions: |
| - fixed: 0.10.13 |
| vulnerable_at: 0.10.13-0.20180330123946-2966db7b7800 |
| packages: |
| - package: github.com/mholt/caddy/caddyhttp/httpserver |
| symbols: |
| - httpContext.MakeServers |
| - Server.serveHTTP |
| - assertConfigsCompatible |
| skip_fix: 'TODO: revisit this reason. (cannot find module providing package |
| github.com/lucas-clemente/quic-go/h2quic)' |
| description: | |
| Due to improper TLS verification when serving traffic for multiple |
| SNIs, an attacker may bypass TLS client authentication by indicating |
| an SNI during the TLS handshake that is different from the name in |
| the HTTP Host header. |
| published: 2021-04-14T20:04:52Z |
| cves: |
| - CVE-2018-21246 |
| ghsas: |
| - GHSA-gr7w-x2jp-3xgw |
| references: |
| - fix: https://github.com/caddyserver/caddy/pull/2099 |
| - fix: https://github.com/caddyserver/caddy/commit/4d9ee000c8d2cbcdd8284007c1e0f2da7bc3c7c3 |
| - web: https://bugs.gentoo.org/715214 |
