CVE-2018-19148 Information

Description

Caddy through 0.11.0 sends incorrect certificates for certain invalid requests making it easier for attackers to enumerate hostnames. Specifically when unable to match a Host header with a vhost in its configuration it serves the X.509 certificate for a randomly selected vhost in its configuration. Repeated requests (with a nonexistent hostname in the Host header) permit full enumeration of all certificates on the server. This generally permits an attacker to easily and accurately discover the existence of and relationships among hostnames that weren’t meant to be public though this information could likely have been discovered via other methods with additional effort.

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Reference

https://github.com/mholt/caddy/issues/1303 https://github.com/mholt/caddy/issues/2334 https://github.com/mholt/caddy/pull/2015 https://securitytrails.com/blog/caddy-web-server-ssl-bug

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

NONE

Base Severity

3.7