CVE-2018-21246: Improper Authentication

October 6, 2022 (updated February 14, 2023)

Caddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an authentication bypass caused by the lack of the StrictHostMatching mode.

References

bugs.gentoo.org/715214
github.com/advisories/GHSA-gr7w-x2jp-3xgw
github.com/caddyserver/caddy/commit/4d9ee000c8d2cbcdd8284007c1e0f2da7bc3c7c3
github.com/caddyserver/caddy/pull/2099
github.com/caddyserver/caddy/releases/tag/v0.10.13
nvd.nist.gov/vuln/detail/CVE-2018-21246
pkg.go.dev/vuln/GO-2020-0043

Code Behaviors & Features

Detect and mitigate CVE-2018-21246 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →