TLS Client Authentication Flaw in Caddy Web Server by Caddy Server
CVE-2018-21246

9.8CRITICAL

Key Information:

Vendor: Caddyserver
Status: Caddy
Vendor: CVE Published:; 15 June 2020

🔔 Create Caddyserver Vulnerability Alert

What is CVE-2018-21246?

Caddy versions before 0.10.13 exhibit a serious flaw in their handling of TLS client authentication. This vulnerability allows an attacker to bypass authentication due to the absence of the StrictHostMatching mode, potentially compromising the security of hosted applications and services.

References

https://github.com/caddyserver/caddy/releases/tag/v0.10.13

x_refsource_MISC

https://bugs.gentoo.org/715214

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 15, 2020
Vulnerability Reserved
Jun 15, 2020

CVE-2018-21246 Data

JSON