CVE-2018-19148 : Caddy through 0.11.0 sends incorrect certificates for certain invalid requests, making it easier for attackers to enumer

Caddy through 0.11.0 sends incorrect certificates for certain invalid requests, making it easier for attackers to enumerate hostnames. Specifically, when unable to match a Host header with a vhost in its configuration, it serves the X.509 certificate for a randomly selected vhost in its configuration. Repeated requests (with a nonexistent hostname in the Host header) permit full enumeration of all certificates on the server. This generally permits an attacker to easily and accurately discover the existence of and relationships among hostnames that weren't meant to be public, though this information could likely have been discovered via other methods with additional effort.

Published 2018-11-10 19:29:00

Updated 2019-01-30 18:09:42

Source MITRE

View at NVD, CVE.org

Vulnerability category: Information leak

Exploit prediction scoring system (EPSS) score for CVE-2018-19148

Probability of exploitation activity in the next 30 days: 0.14%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 49 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2018-19148

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
3.7	LOW	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N	2.2	1.4	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None

CWE ids for CVE-2018-19148

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2018-19148

https://github.com/mholt/caddy/pull/2015

tls: Restructure and improve certificate management by mholt · Pull Request #2015 · caddyserver/caddy · GitHub
Issue Tracking;Patch;Third Party Advisory
https://securitytrails.com/blog/caddy-web-server-ssl-bug

Making the Web a Better Place: Fixing Caddy Web Server Hostname Enumeration Vulnerability (CVE-2018-19148)
Exploit;Patch;Third Party Advisory
https://github.com/mholt/caddy/issues/2334

Problem with the way Caddy serves multiple certificates · Issue #2334 · caddyserver/caddy · GitHub
Issue Tracking;Patch;Third Party Advisory
https://github.com/mholt/caddy/issues/1303

Caddy serves wrong SSL cert for site that is not served on HTTPS port · Issue #1303 · caddyserver/caddy · GitHub
Issue Tracking;Patch;Third Party Advisory

Products affected by CVE-2018-19148

Caddyserver » Caddy
Versions up to, including, (<=) 0.11.0
cpe:2.3:a:caddyserver:caddy:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2018-19148

Exploit prediction scoring system (EPSS) score for CVE-2018-19148

CVSS scores for CVE-2018-19148

CWE ids for CVE-2018-19148

References for CVE-2018-19148

Products affected by CVE-2018-19148