Homepage
About Snyk

Information Exposure Affecting github.com/caddyserver/caddy/v2/caddyhttp/httpserver package, versions *

0.0
low

Snyk CVSS

    Attack Complexity High

    Threat Intelligence

    EPSS 0.14% (50th percentile)
Expand this section
NVD
3.7 low

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMCADDYSERVERCADDYV2CADDYHTTPHTTPSERVER-6673859
  • published 25 Apr 2024
  • disclosed 14 May 2022
  • credit Max Lielje, Deleted user
Report a new vulnerability Found a mistake?

Introduced: 14 May 2022

CVE-2018-19148 Open this link in a new tab
CWE-200 Open this link in a new tab

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

github.com/caddyserver/caddy/v2/caddyhttp/httpserver is an implementation of an HTTP server on top of Caddy.

Affected versions of this package are vulnerable to Information Exposure due to the server's handling of invalid requests. Specifically when it cannot match a Host header with a vhost in its configuration, it serves the X.509 certificate for a randomly selected vhost. Repeated requests with a nonexistent hostname in the Host header allow for the full enumeration of all certificates on the server, thereby enabling an attacker to easily and accurately discover the existence of and relationships among hostnames that were not intended to be public.