blob: 100df3387083d3b3ebdac11257663a712d5ecdc9 [file] [log] [blame]
{
"schema_version": "1.3.1",
"id": "GO-2023-1567",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2022-28923",
"GHSA-qpm3-vr34-h8w8"
],
"summary": "Open redirect in github.com/caddyserver/caddy/v2",
"details": "Due to improper request sanitization, a crafted URL can cause the static file handler to redirect to an attacker chosen URL, allowing for open redirect attacks.",
"affected": [
{
"package": {
"name": "github.com/caddyserver/caddy/v2",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.0-beta.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/caddyserver/caddy/v2/modules/caddyhttp",
"symbols": [
"SanitizedPathJoin"
]
},
{
"path": "github.com/caddyserver/caddy/v2/modules/caddyhttp/fileserver",
"symbols": [
"FileServer.Provision",
"FileServer.ServeHTTP",
"FileServer.directoryListing",
"MatchFile.Match",
"MatchFile.UnmarshalCaddyfile",
"MatchFile.Validate",
"fileInfo.HumanModTime",
"fileInfo.HumanSize",
"statusOverrideResponseWriter.WriteHeader"
]
}
]
}
}
],
"references": [
{
"type": "WEB",
"url": "https://lednerb.de/en/publications/responsible-disclosure/caddy-open-redirect-vulnerability/"
},
{
"type": "FIX",
"url": "https://github.com/caddyserver/caddy/commit/78b5356f2b1945a90de1ef7f2c7669d82098edbd"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-qpm3-vr34-h8w8"
}
],
"credits": [
{
"name": "Mayank Mukhi (@Hunt2behunter)"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2023-1567"
}
}