Miggo Logo
Miggo Vulnerability Database
CVE-2018-21246

CVE-2018-21246: Caddy vulnerable to Authentication Bypass due to mishandling of TLS client authentication

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2018-21246
GHSA ID
GHSA-gr7w-x2jp-3xgw
EPSS Score
0.66282%
CWE
CWE-287
Published
10/6/2022
Updated
2/14/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/caddyserver/caddygo< 0.10.130.10.13

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from three key flaws: 1) Missing enforcement of hostname consistency between TLS SNI and HTTP Host headers, 2) Failure to require strict configuration when ClientAuth was enabled, and 3) Ambiguous ClientAuth CA pool configurations. The commit diff shows these functions were specifically modified to add StrictHostMatching enforcement, QUIC compatibility checks, and CA pool validation - indicating they were the vulnerable points. The pre-patch versions of MakeServers didn't set StrictHostMatching, serveHTTP didn't validate SNI/Host consistency, and assertConfigsCompatible didn't check CA pool conflicts.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

****y ***or* *.**.** mis**n*l*s TLS *li*nt *ut**nti**tion, *s **monstr*t** *y *n *ut**nti**tion *yp*ss **us** *y t** l**k o* t** Stri*t*ostM*t**in* mo**.

Reasoning

T** vuln*r**ility st*mm** *rom t*r** k*y *l*ws: *) Missin* *n*or**m*nt o* *ostn*m* *onsist*n*y **tw**n TLS SNI *n* *TTP *ost *****rs, *) **ilur* to r*quir* stri*t *on*i*ur*tion w**n *li*nt*ut* w*s *n**l**, *n* *) *m*i*uous *li*nt*ut* ** pool *on*i*ur