Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forward_auth copy_headers does not strip client-supplied headers, allowing identity injection and privilege escalation. This issue has been patched in version 2.11.2.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NCaddyserver Caddy
APPCaddyserver2.10.0 – 2.11.2 (bez)
Related vulnerabilities
Caddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an authentication bypass caused ...
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can ...
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, on Windows, Caddy path match...
Caddy is an extensible server platform that uses TLS by default. From 2.7.0 until 2.11.3, the FastCGI transpor...
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, forward_auth copy_headers de...