Main Vulnerability Database Vulnerabilities #VU30257

#VU30257 Improper Authentication in Caddy - CVE-2018-21246

Published: June 15, 2020 / Updated: July 17, 2020

Vulnerability identifier: #VU30257

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2018-21246

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Caddy

Software vendor:
Caddy

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Caddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an authentication bypass caused by the lack of the StrictHostMatching mode.

Remediation

Install update from vendor's website.

External links

https://bugs.gentoo.org/715214
https://github.com/caddyserver/caddy/releases/tag/v0.10.13