CVE-2018-21246
Authentication bypass in github.com/mholt/caddy
9.8
CRITICAL
CVSS 3.1
EPSS 1.4%
Description
Due to improper TLS verification when serving traffic for multiple SNIs, an attacker may bypass TLS client authentication by indicating an SNI during the TLS handshake that is different from the name in the HTTP Host header.
How to fix CVE-2018-21246
To remediate CVE-2018-21246, upgrade the affected package to a fixed version below.
- Go/github.com/caddyserver/caddy—upgrade to 0.10.13 or later
- —upgrade to 0.10.13 or later
Is CVE-2018-21246 being exploited?
Low — EPSS is 1.4%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 0.10.13
- from 0, < 0.10.13
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |