CVE-2024-21494

Name of the Vulnerable Software and Affected Versions github.com/greenpau/caddy-security versions all

Description The issue concerns improper input sanitization, allowing for Authentication Bypass by Spoofing via the X-Forwarded-For header. An attacker can spoof an IP address used in the user identity module, specifically targeting the /whoami API endpoint. This could lead to unauthorized access if the system trusts the spoofed IP address.

Recommendations As a temporary workaround, consider disabling the use of the X-Forwarded-For header in the user identity module until a patch is available. Restrict access to the /whoami API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.