2FA Bypass Vulnerability Affects All Versions of Caddy Security
CVE-2024-21500

6.5MEDIUM

Key Information:

Vendor: github.com/greenpau/caddy-security
Status: Github.com/greenpau/caddy-security
Vendor: CVE Published:; 17 February 2024

🔔 Create github.com/greenpau/caddy-security Vulnerability Alert

What is CVE-2024-21500?

All versions of the package github.com/greenpau/caddy-security are vulnerable to Improper Restriction of Excessive Authentication Attempts via the two-factor authentication (2FA). Although the application blocks the user after several failed attempts to provide 2FA codes, attackers can bypass this blocking mechanism by automating the application’s full multistep 2FA process.

Affected Version(s)

github.com/greenpau/caddy-security 0

References

https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENP...

https://github.com/greenpau/caddy-security/issues/271

https://blog.trailofbits.com/2023/09/18/security-flaws-in...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 17, 2024
Vulnerability Reserved
Dec 22, 2023

Credit

Maciej Domanski

Travis Peters

David Pokora