Vulnerability Report: GO-2020-0043
- CVE-2018-21246, GHSA-gr7w-x2jp-3xgw
- Affects: github.com/mholt/caddy
- Published: Apr 14, 2021
- Modified: Jun 12, 2023
Due to improper TLS verification when serving traffic for multiple SNIs, an attacker may bypass TLS client authentication by indicating an SNI during the TLS handshake that is different from the name in the HTTP Host header.
Affected Packages
-
PathVersionsSymbols
-
before v0.10.13all symbols
Aliases
References
- https://github.com/caddyserver/caddy/pull/2099
- https://github.com/caddyserver/caddy/commit/4d9ee000c8d2cbcdd8284007c1e0f2da7bc3c7c3
- https://bugs.gentoo.org/715214
- https://vuln.go.dev/ID/GO-2020-0043.json
Feedback
See anything missing or incorrect?
Suggest an edit to this report.