CVE-2018-21246

Caddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an authentication bypass caused by the lack of the StrictHostMatching mode.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
caddyservercaddy
𝑥
< 0.10.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
caddy
bookworm
2.6.2-5
fixed
sid
2.6.2-8
fixed
Common Weakness Enumeration
References
https://bugs.gentoo.org/715214
https://github.com/caddyserver/caddy/releases/tag/v0.10.13
https://bugs.gentoo.org/715214
https://github.com/caddyserver/caddy/releases/tag/v0.10.13