FKIE_CVE-2024-21493

Vulnerability from fkie_nvd - Published: 2024-02-17 05:15 - Updated: 2025-02-27 03:08
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary
All versions of the package github.com/greenpau/caddy-security are vulnerable to Improper Validation of Array Index when parsing a Caddyfile. Multiple parsing functions in the affected library do not validate whether their input values are nil before attempting to access elements, which can lead to a panic (index out of range). Panics during the parsing of a configuration file may introduce ambiguity and vulnerabilities, hindering the correct interpretation and configuration of the web server.
References
report@snyk.iohttps://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/Third Party Advisory
report@snyk.iohttps://github.com/greenpau/caddy-security/issues/263Issue Tracking
report@snyk.iohttps://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-5961078Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/greenpau/caddy-security/issues/263Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-5961078Third Party Advisory
Impacted products
Vendor Product Version
greenpau caddy-security *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:greenpau:caddy-security:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DC59AC36-173D-4F24-9F39-50F992A248B8",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "All versions of the package github.com/greenpau/caddy-security are vulnerable to Improper Validation of Array Index when parsing a Caddyfile. Multiple parsing functions in the affected library do not validate whether their input values are nil before attempting to access elements, which can lead to a panic (index out of range). Panics during the parsing of a configuration file may introduce ambiguity and vulnerabilities, hindering the correct interpretation and configuration of the web server."
    },
    {
      "lang": "es",
      "value": "Todas las versiones del paquete github.com/greenpau/caddy-security son vulnerables a una validaci\u00f3n incorrecta del \u00edndice de matriz al analizar un Caddyfile. Varias funciones de an\u00e1lisis en la librer\u00eda afectada no validan si sus valores de entrada son nulos antes de intentar acceder a los elementos, lo que puede provocar p\u00e1nico (\u00edndice fuera de rango). Los p\u00e1nicos durante el an\u00e1lisis de un archivo de configuraci\u00f3n pueden introducir ambig\u00fcedad y vulnerabilidades, dificultando la correcta interpretaci\u00f3n y configuraci\u00f3n del servidor web."
    }
  ],
  "id": "CVE-2024-21493",
  "lastModified": "2025-02-27T03:08:34.410",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "report@snyk.io",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-02-17T05:15:08.747",
  "references": [
    {
      "source": "report@snyk.io",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/"
    },
    {
      "source": "report@snyk.io",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/greenpau/caddy-security/issues/263"
    },
    {
      "source": "report@snyk.io",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-5961078"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/greenpau/caddy-security/issues/263"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-5961078"
    }
  ],
  "sourceIdentifier": "report@snyk.io",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-129"
        }
      ],
      "source": "report@snyk.io",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-129"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.