Vulnerability Details : CVE-2018-19148
Caddy through 0.11.0 sends incorrect certificates for certain invalid requests, making it easier for attackers to enumerate hostnames. Specifically, when unable to match a Host header with a vhost in its configuration, it serves the X.509 certificate for a randomly selected vhost in its configuration. Repeated requests (with a nonexistent hostname in the Host header) permit full enumeration of all certificates on the server. This generally permits an attacker to easily and accurately discover the existence of and relationships among hostnames that weren't meant to be public, though this information could likely have been discovered via other methods with additional effort.
Vulnerability category: Information leak
Exploit prediction scoring system (EPSS) score for CVE-2018-19148
Probability of exploitation activity in the next 30 days: 0.14%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 49 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2018-19148
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST |
3.7
|
LOW | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
2.2
|
1.4
|
NIST |
CWE ids for CVE-2018-19148
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-19148
-
https://github.com/mholt/caddy/pull/2015
tls: Restructure and improve certificate management by mholt · Pull Request #2015 · caddyserver/caddy · GitHubIssue Tracking;Patch;Third Party Advisory
-
https://securitytrails.com/blog/caddy-web-server-ssl-bug
Making the Web a Better Place: Fixing Caddy Web Server Hostname Enumeration Vulnerability (CVE-2018-19148)Exploit;Patch;Third Party Advisory
-
https://github.com/mholt/caddy/issues/2334
Problem with the way Caddy serves multiple certificates · Issue #2334 · caddyserver/caddy · GitHubIssue Tracking;Patch;Third Party Advisory
-
https://github.com/mholt/caddy/issues/1303
Caddy serves wrong SSL cert for site that is not served on HTTPS port · Issue #1303 · caddyserver/caddy · GitHubIssue Tracking;Patch;Third Party Advisory
Products affected by CVE-2018-19148
- cpe:2.3:a:caddyserver:caddy:*:*:*:*:*:*:*:*