Improper Authentication in Caddy Caddy

Published: 2020-06-15 | Updated: 2020-07-17

Risk	High
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2018-21246
CWE-ID	CWE-287
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Caddy Web applications / Other software
Vendor	Caddy

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Improper Authentication

EUVDB-ID: #VU30257

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2018-21246

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Caddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an authentication bypass caused by the lack of the StrictHostMatching mode.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Caddy: 0.10.0 - 0.10.2

CPE2.3

External links

https://bugs.gentoo.org/715214
https://github.com/caddyserver/caddy/releases/tag/v0.10.13

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.