CVE-2024-21500: Improper Restriction of Excessive Authentication Attempts in github.com/greenpau/caddy-security

February 17, 2024 (updated April 4, 2025)

All versions of the package github.com/greenpau/caddy-security are vulnerable to Improper Restriction of Excessive Authentication Attempts via the two-factor authentication (2FA). Although the application blocks the user after several failed attempts to provide 2FA codes, attackers can bypass this blocking mechanism by automating the application’s full multistep 2FA process.

References

blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy
github.com/advisories/GHSA-vfph-hjfv-cpv2
github.com/greenpau/caddy-security/issues/271
nvd.nist.gov/vuln/detail/CVE-2024-21500
security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249864

Code Behaviors & Features

Detect and mitigate CVE-2024-21500 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →