Sign-up

ID

VAR-202006-1275


CVE

CVE-2018-21246


TITLE

Caddy Authentication vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2018-016451

DESCRIPTION

Caddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an authentication bypass caused by the lack of the StrictHostMatching mode. Caddy There is an authentication vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Caddy is an open source, cross-platform HTTP/Web server. Attackers can use this vulnerability to bypass authentication

Trust: 2.16

sources: NVD: CVE-2018-21246 // JVNDB: JVNDB-2018-016451 // CNVD: CNVD-2021-25698

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-25698

AFFECTED PRODUCTS

vendor:caddyservermodel:caddyscope:ltversion:0.10.3

Trust: 1.0

vendor:light codemodel:caddyscope:eqversion:0.10.13

Trust: 0.8

vendor:caddyservermodel:caddyscope:ltversion:0.10.13

Trust: 0.6

sources: CNVD: CNVD-2021-25698 // JVNDB: JVNDB-2018-016451 // NVD: CVE-2018-21246

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-21246
value: CRITICAL

Trust: 1.0

NVD: JVNDB-2018-016451
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2021-25698
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202006-1027
value: CRITICAL

Trust: 0.6

nvd@nist.gov: CVE-2018-21246
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2018-016451
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2021-25698
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2018-21246
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: JVNDB-2018-016451
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2021-25698 // JVNDB: JVNDB-2018-016451 // CNNVD: CNNVD-202006-1027 // NVD: CVE-2018-21246

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.8

sources: JVNDB: JVNDB-2018-016451 // NVD: CVE-2018-21246

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202006-1027

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202006-1027

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-016451

PATCH
title:0.10.13url:https://github.com/caddyserver/caddy/releases/tag/v0.10.13
Trust: 0.8
title:Patch for Caddy authorization issue vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/256456
Trust: 0.6
title:Caddy Remediation measures for authorization problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=122486
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2021-25698 // 
            
            
            
            JVNDB: JVNDB-2018-016451 // 
            
            
            
            CNNVD: CNNVD-202006-1027

EXTERNAL IDS
db:NVDid:CVE-2018-21246
Trust: 3.0
db:JVNDBid:JVNDB-2018-016451
Trust: 0.8
db:CNVDid:CNVD-2021-25698
Trust: 0.6
db:CNNVDid:CNNVD-202006-1027
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2021-25698 // 
            
            
            
            JVNDB: JVNDB-2018-016451 // 
            
            
            
            CNNVD: CNNVD-202006-1027 // 
            
            
            
            NVD: CVE-2018-21246

REFERENCES
url:https://nvd.nist.gov/vuln/detail/cve-2018-21246
Trust: 2.0
url:https://github.com/caddyserver/caddy/releases/tag/v0.10.13
Trust: 1.6
url:https://bugs.gentoo.org/715214
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-21246
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2021-25698 // 
            
            
            
            JVNDB: JVNDB-2018-016451 // 
            
            
            
            CNNVD: CNNVD-202006-1027 // 
            
            
            
            NVD: CVE-2018-21246

SOURCES
db:CNVDid:CNVD-2021-25698
db:JVNDBid:JVNDB-2018-016451
db:CNNVDid:CNNVD-202006-1027
db:NVDid:CVE-2018-21246

LAST UPDATE DATE
2024-11-23T22:21:06.298000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2021-25698date:2021-04-08T00:00:00
db:JVNDBid:JVNDB-2018-016451date:2020-07-30T00:00:00
db:CNNVDid:CNNVD-202006-1027date:2020-06-30T00:00:00
db:NVDid:CVE-2018-21246date:2024-11-21T04:03:16.773

SOURCES RELEASE DATE
db:CNVDid:CNVD-2021-25698date:2021-04-08T00:00:00
db:JVNDBid:JVNDB-2018-016451date:2020-07-30T00:00:00
db:CNNVDid:CNNVD-202006-1027date:2020-06-15T00:00:00
db:NVDid:CVE-2018-21246date:2020-06-15T17:15:09.620