Vulnerability Report: GO-2020-0043

CVE-2018-21246, GHSA-gr7w-x2jp-3xgw
Affects: github.com/mholt/caddy
Published: Apr 14, 2021
Modified: May 20, 2024

Due to improper TLS verification when serving traffic for multiple SNIs, an attacker may bypass TLS client authentication by indicating an SNI during the TLS handshake that is different from the name in the HTTP Host header.

Affected Packages

Path

Versions

Symbols
github.com/mholt/caddy/caddyhttp/httpserver

before v0.10.13
3 unexported affected symbols
- Server.serveHTTP
- assertConfigsCompatible
- httpContext.MakeServers

Aliases

CVE-2018-21246
GHSA-gr7w-x2jp-3xgw

References

https://github.com/caddyserver/caddy/pull/2099
https://github.com/caddyserver/caddy/commit/4d9ee000c8d2cbcdd8284007c1e0f2da7bc3c7c3
https://bugs.gentoo.org/715214
https://vuln.go.dev/ID/GO-2020-0043.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL