CVE-2024-21493 - OpenCVE

All versions of the package github.com/greenpau/caddy-security are vulnerable to Improper Validation of Array Index when parsing a Caddyfile. Multiple parsing functions in the affected library do not validate whether their input values are nil before attempting to access elements, which can lead to a panic (index out of range). Panics during the parsing of a configuration file may introduce ambiguity and vulnerabilities, hindering the correct interpretation and configuration of the web server.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

No data.

No data.

References

Link	Resource
https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/
https://github.com/greenpau/caddy-security/issues/263
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-5961078

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: snyk

Published: 2024-02-17T05:00:08.927Z

Updated: 2024-07-05T17:21:47.850Z

Reserved: 2023-12-22T12:33:20.118Z

Link: CVE-2024-21493

JSON object: View

NVD Information

Status : Awaiting Analysis

Published: 2024-02-17T05:15:08.747

Modified: 2024-02-20T19:50:53.960

Link: CVE-2024-21493

JSON object: View

Redhat Information

No data.

CWE

CWE-129

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21493", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2023-12-22T12:33:20.118Z", "datePublished": "2024-02-17T05:00:08.927Z", "dateUpdated": "2024-07-05T17:21:47.850Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P"}}], "credits": [{"value": "Maciej Domanski", "lang": "en"}, {"value": "Travis Peters", "lang": "en"}, {"value": "David Pokora", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-129", "description": "Improper Validation of Array Index", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2024-03-06T14:09:47.512Z"}, "descriptions": [{"value": "All versions of the package github.com/greenpau/caddy-security are vulnerable to Improper Validation of Array Index when parsing a Caddyfile. Multiple parsing functions in the affected library do not validate whether their input values are nil before attempting to access elements, which can lead to a panic (index out of range). Panics during the parsing of a configuration file may introduce ambiguity and vulnerabilities, hindering the correct interpretation and configuration of the web server.", "lang": "en"}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-5961078"}, {"url": "https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/"}, {"url": "https://github.com/greenpau/caddy-security/issues/263"}], "affected": [{"product": "github.com/greenpau/caddy-security", "versions": [{"version": "0", "lessThan": "*", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-21493", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-20T18:44:32.300528Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T17:21:47.850Z"}}]}}

{"descriptions": [{"lang": "en", "value": "All versions of the package github.com/greenpau/caddy-security are vulnerable to Improper Validation of Array Index when parsing a Caddyfile. Multiple parsing functions in the affected library do not validate whether their input values are nil before attempting to access elements, which can lead to a panic (index out of range). Panics during the parsing of a configuration file may introduce ambiguity and vulnerabilities, hindering the correct interpretation and configuration of the web server."}, {"lang": "es", "value": "Todas las versiones del paquete github.com/greenpau/caddy-security son vulnerables a una validaci\u00f3n incorrecta del \u00edndice de matriz al analizar un Caddyfile. Varias funciones de an\u00e1lisis en la librer\u00eda afectada no validan si sus valores de entrada son nulos antes de intentar acceder a los elementos, lo que puede provocar p\u00e1nico (\u00edndice fuera de rango). Los p\u00e1nicos durante el an\u00e1lisis de un archivo de configuraci\u00f3n pueden introducir ambig\u00fcedad y vulnerabilidades, dificultando la correcta interpretaci\u00f3n y configuraci\u00f3n del servidor web."}], "id": "CVE-2024-21493", "lastModified": "2024-02-20T19:50:53.960", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2024-02-17T05:15:08.747", "references": [{"source": "report@snyk.io", "url": "https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/"}, {"source": "report@snyk.io", "url": "https://github.com/greenpau/caddy-security/issues/263"}, {"source": "report@snyk.io", "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-5961078"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-129"}], "source": "report@snyk.io", "type": "Secondary"}]}