PT-2024-18914 · Unknown · Caddy-Security

David Pokora

Published

2024-02-16

Updated

2024-06-28

CVE-2024-21499

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions github.com/greenpau/caddy-security versions all

Description The issue is related to HTTP Header Injection via the X-Forwarded-Proto header, which can be exploited due to the software redirecting to the injected protocol. This could lead to the bypass of security mechanisms or confusion in handling TLS.

Recommendations For all versions, consider disabling the redirect functionality based on the X-Forwarded-Proto header until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the X-Forwarded-Proto header in redirects to prevent potential HTTP Header Injection attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Improper Encoding or Escaping of Output

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-116CWE-644

Related Identifiers

CVE-2024-21499

GHSA-R969-783F-6JQR

GO-2024-2562

Affected Products

Caddy-Security

PT-2024-18914 · Unknown · Caddy-Security

CVE-2024-21499

Weakness Enumeration

Related Identifiers

Affected Products

References · 10