Go modules package
github.com/caddyserver/caddy
pkg:golang/github.com/caddyserver/caddy
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-34037 | — | < 2.5.2 | 2.5.2 | Jul 22, 2022 | An out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go in Caddy v2.5.1 allows attackers to cause a Denial of Service (DoS) via a crafted URI. Note: This has been disputed as a bug, not a security vulnerability, in the Caddy web server that emerged | ||
| CVE-2022-29718 | — | < 2.5.0 | 2.5.0 | Jun 2, 2022 | Caddy v2.4 was discovered to contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on crafted links. | ||
| CVE-2018-21246 | — | < 0.10.13 | 0.10.13 | Jun 15, 2020 | Caddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an authentication bypass caused by the lack of the StrictHostMatching mode. | ||
| CVE-2018-19148 | — | < 0.11.1 | 0.11.1 | Nov 10, 2018 | Caddy through 0.11.0 sends incorrect certificates for certain invalid requests, making it easier for attackers to enumerate hostnames. Specifically, when unable to match a Host header with a vhost in its configuration, it serves the X.509 certificate for a randomly selected vhost |
- CVE-2022-34037Jul 22, 2022affected < 2.5.2fixed 2.5.2
An out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go in Caddy v2.5.1 allows attackers to cause a Denial of Service (DoS) via a crafted URI. Note: This has been disputed as a bug, not a security vulnerability, in the Caddy web server that emerged
- CVE-2022-29718Jun 2, 2022affected < 2.5.0fixed 2.5.0
Caddy v2.4 was discovered to contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on crafted links.
- CVE-2018-21246Jun 15, 2020affected < 0.10.13fixed 0.10.13
Caddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an authentication bypass caused by the lack of the StrictHostMatching mode.
- CVE-2018-19148Nov 10, 2018affected < 0.11.1fixed 0.11.1
Caddy through 0.11.0 sends incorrect certificates for certain invalid requests, making it easier for attackers to enumerate hostnames. Specifically, when unable to match a Host header with a vhost in its configuration, it serves the X.509 certificate for a randomly selected vhost