3.7

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-19148

GHSA ID

GHSA-jf2w-mq6r-56v8

EPSS Score

0.38648%

CWE

CWE-200

Published

5/14/2022

Updated

4/24/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-19148

CVE-2018-19148: Caddy allows enumeration of Certificates and Hostnames

Caddy through 0.11.0 sends incorrect certificates for certain invalid requests, making it easier for attackers to enumerate hostnames. Specifically, when unable to match a Host header with a vhost in its configuration, it serves the X.509 certificate for a randomly selected vhost in its configuration. Repeated requests (with a nonexistent hostname in the Host header) permit full enumeration of all certificates on the server. This generally permits an attacker to easily and accurately discover the existence of and relationships among hostnames that weren't meant to be public, though this information could likely have been discovered via other methods with additional effort.

(GitHub Advisory)

3.7

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-19148

GHSA ID

GHSA-jf2w-mq6r-56v8

EPSS Score

0.38648%

CWE

CWE-200

Published

5/14/2022

Updated

4/24/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/caddyserver/caddy	go	< 0.11.1	0.11.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from Caddy's TLS handshake behavior when encountering unmatched Host headers. The key functions in caddytls/handshake.go: 1) getCertificate() previously selected a random certificate from a global cache when no SNI match was found, as shown by the commit diff removing 'default certificate' fallback logic. 2) getCertDuringHandshake() facilitated this by not properly restricting certificate selection. The patch introduced certificate cache restructuring and strict SNI matching, confirming these functions' role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

****y t*rou** *.**.* s*n*s in*orr**t **rti*i**t*s *or **rt*in inv*li* r*qu*sts, m*kin* it **si*r *or *tt**k*rs to *num*r*t* *ostn*m*s. Sp**i*i**lly, w**n un**l* to m*t** * *ost *****r wit* * v*ost in its *on*i*ur*tion, it s*rv*s t** X.*** **rti*i**t*

Reasoning

T** vuln*r**ility st*mm** *rom ****y's TLS **n*s**k* ****vior w**n *n*ount*rin* unm*t**** *ost *****rs. T** k*y *un*tions in `****ytls/**n*s**k*.*o`: *) `**t**rti*i**t*()` pr*viously s*l**t** * r*n*om **rti*i**t* *rom * *lo**l ***** w**n no SNI m*t**

3.7

Basic Information

Concerned about an active attack path?

CVE-2018-19148: Caddy allows enumeration of Certificates and Hostnames

3.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI