CVE-2024-21499
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
17/02/2024
Last modified:
26/02/2025
Description
All versions of the package github.com/greenpau/caddy-security are vulnerable to HTTP Header Injection via the X-Forwarded-Proto header due to redirecting to the injected protocol.Exploiting this vulnerability could lead to bypass of security mechanisms or confusion in handling TLS.
Impact
Base Score 3.x
4.30
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:greenpau:caddy-security:*:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/
- https://github.com/greenpau/caddy-security/issues/270
- https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249863
- https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/
- https://github.com/greenpau/caddy-security/issues/270
- https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249863