rpm package
opensuse/caddy&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/caddy&distro=openSUSE%20Tumbleweed
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-22189 | Hig | 7.5 | < 2.8.4-1.1 | 2.8.4-1.1 | Apr 4, 2024 | quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.42.0, an attacker can cause its peer to run out of memory sending a large number of `NEW_CONNECTION_ID` frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame | |
| CVE-2023-45142 | — | < 2.7.6-1.1 | 2.7.6-1.1 | Oct 12, 2023 | OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests | ||
| CVE-2022-41721 | — | < 2.6.3-1.1 | 2.6.3-1.1 | Jan 13, 2023 | A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which coul | ||
| CVE-2022-34037 | — | < 2.5.2-2.1 | 2.5.2-2.1 | Jul 22, 2022 | An out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go in Caddy v2.5.1 allows attackers to cause a Denial of Service (DoS) via a crafted URI. Note: This has been disputed as a bug, not a security vulnerability, in the Caddy web server that emerged | ||
| CVE-2022-29718 | — | < 2.5.1-2.1 | 2.5.1-2.1 | Jun 2, 2022 | Caddy v2.4 was discovered to contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on crafted links. |
- affected < 2.8.4-1.1fixed 2.8.4-1.1
quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.42.0, an attacker can cause its peer to run out of memory sending a large number of `NEW_CONNECTION_ID` frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame
- CVE-2023-45142Oct 12, 2023affected < 2.7.6-1.1fixed 2.7.6-1.1
OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests
- CVE-2022-41721Jan 13, 2023affected < 2.6.3-1.1fixed 2.6.3-1.1
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which coul
- CVE-2022-34037Jul 22, 2022affected < 2.5.2-2.1fixed 2.5.2-2.1
An out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go in Caddy v2.5.1 allows attackers to cause a Denial of Service (DoS) via a crafted URI. Note: This has been disputed as a bug, not a security vulnerability, in the Caddy web server that emerged
- CVE-2022-29718Jun 2, 2022affected < 2.5.1-2.1fixed 2.5.1-2.1
Caddy v2.4 was discovered to contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on crafted links.