Improper Authentication in Caddy - CVE-2018-21246
Published: June 15, 2020 / Updated: July 17, 2020
Vulnerability identifier: #VU30257
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2018-21246
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Caddy
Affected software:
Caddy
Caddy
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Caddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an authentication bypass caused by the lack of the StrictHostMatching mode.
How to mitigate CVE-2018-21246
Install update from vendor's website.