Lucene search

GoogleOSV:GHSA-93X8-66J2-WWR5

HistoryFeb 17, 2024 - 6:30 a.m.

Server-Side Request Forgery in github.com/greenpau/caddy-security

2024-02-1706:30:35

Google

osv.dev

ssrf

x-forwarded-host

vulnerability

exploit

caddy-security

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

7.2 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.5%

JSON

All versions of the package github.com/greenpau/caddy-security are vulnerable to Server-side Request Forgery (SSRF) via X-Forwarded-Host header manipulation. An attacker can expose sensitive information, interact with internal services, or exploit other vulnerabilities within the network by exploiting this vulnerability.

CPENameOperatorVersion
github.com/greenpau/caddy-securityle1.1.23

CPE	Name	Operator	Version
	github.com/greenpau/caddy-security	le	1.1.23

References

github.com/greenpau/caddy-security

blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy

github.com/greenpau/caddy-security/issues/269

nvd.nist.gov/vuln/detail/CVE-2024-21498

security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249862

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

7.2 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.5%

JSON

Related for OSV:GHSA-93X8-66J2-WWR5