CVE-2018-19148

Severity Score

3.7

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Caddy through 0.11.0 sends incorrect certificates for certain invalid requests, making it easier for attackers to enumerate hostnames. Specifically, when unable to match a Host header with a vhost in its configuration, it serves the X.509 certificate for a randomly selected vhost in its configuration. Repeated requests (with a nonexistent hostname in the Host header) permit full enumeration of all certificates on the server. This generally permits an attacker to easily and accurately discover the existence of and relationships among hostnames that weren't meant to be public, though this information could likely have been discovered via other methods with additional effort.

Caddy hasta la versión 0.11.0 envía certificados incorrectos para determinadas solicitudes no válidas, lo que facilita a los atacantes la enumeración de nombres de host. Específicamente, cuando no puede hacer coincidir una cabecera Host con un vhost en su configuración, sirve el certificado X.509 para un vhost seleccionado aleatoriamente en su configuración. Las peticiones repetidas (con un nombre de host inexistente en la cabecera Host) permiten la enumeración completa de todos los certificados en el servidor. Esto generalmente permite que un atacante descubra de forma fácil y precisa la existencia y las relaciones entre los nombres de host que no estaban destinados a ser públicos, aunque es probable que esta información se haya descubierto a través de otros métodos con un esfuerzo adicional.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-11-10 CVE Reserved
2018-11-10 CVE Published
2019-01-30 First Exploit
2024-06-29 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (4)

URL	Tag	Source

URL	Date	SRC
https://securitytrails.com/blog/caddy-web-server-ssl-bug	2019-01-30

URL	Date	SRC
https://github.com/mholt/caddy/issues/1303	2019-01-30
https://github.com/mholt/caddy/issues/2334	2019-01-30
https://github.com/mholt/caddy/pull/2015	2019-01-30

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Caddyserver Search vendor "Caddyserver"		Caddy Search vendor "Caddyserver" for product "Caddy"				<= 0.11.0 Search vendor "Caddyserver" for product "Caddy" and version " <= 0.11.0"		-		Affected