CVE-2024-21493

All versions of the package github.com/greenpau/caddy-security are vulnerable to Improper Validation of Array Index when parsing a Caddyfile. Multiple parsing functions in the affected library do not validate whether their input values are nil before attempting to access elements, which can lead to a panic (index out of range). Panics during the parsing of a configuration file may introduce ambiguity and vulnerabilities, hindering the correct interpretation and configuration of the web server.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/
https://github.com/greenpau/caddy-security/issues/263
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-5961078
https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/
https://github.com/greenpau/caddy-security/issues/263
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-5961078

Configurations

No configuration.

History

21 Nov 2024, 08:54

Type	Values Removed	Values Added
References	~~() https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/ -~~	() https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/ -
References	~~() https://github.com/greenpau/caddy-security/issues/263 -~~	() https://github.com/greenpau/caddy-security/issues/263 -
References	~~() https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-5961078 -~~	() https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-5961078 -

20 Feb 2024, 19:50

Type	Values Removed	Values Added
Summary		(es) Todas las versiones del paquete github.com/greenpau/caddy-security son vulnerables a una validación incorrecta del índice de matriz al analizar un Caddyfile. Varias funciones de análisis en la librería afectada no validan si sus valores de entrada son nulos antes de intentar acceder a los elementos, lo que puede provocar pánico (índice fuera de rango). Los pánicos durante el análisis de un archivo de configuración pueden introducir ambigüedad y vulnerabilidades, dificultando la correcta interpretación y configuración del servidor web.

17 Feb 2024, 05:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-17 05:15

Updated : 2024-11-21 08:54

NVD link : CVE-2024-21493

Mitre link : CVE-2024-21493

CVE.ORG link : CVE-2024-21493

JSON object : View

Products Affected

No product.

CWE

CWE-129

Improper Validation of Array Index

{"id": "CVE-2024-21493", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "report@snyk.io", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2024-02-17T05:15:08.747", "references": [{"url": "https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/", "source": "report@snyk.io"}, {"url": "https://github.com/greenpau/caddy-security/issues/263", "source": "report@snyk.io"}, {"url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-5961078", "source": "report@snyk.io"}, {"url": "https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/greenpau/caddy-security/issues/263", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-5961078", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "report@snyk.io", "description": [{"lang": "en", "value": "CWE-129"}]}], "descriptions": [{"lang": "en", "value": "All versions of the package github.com/greenpau/caddy-security are vulnerable to Improper Validation of Array Index when parsing a Caddyfile. Multiple parsing functions in the affected library do not validate whether their input values are nil before attempting to access elements, which can lead to a panic (index out of range). Panics during the parsing of a configuration file may introduce ambiguity and vulnerabilities, hindering the correct interpretation and configuration of the web server."}, {"lang": "es", "value": "Todas las versiones del paquete github.com/greenpau/caddy-security son vulnerables a una validaci\u00f3n incorrecta del \u00edndice de matriz al analizar un Caddyfile. Varias funciones de an\u00e1lisis en la librer\u00eda afectada no validan si sus valores de entrada son nulos antes de intentar acceder a los elementos, lo que puede provocar p\u00e1nico (\u00edndice fuera de rango). Los p\u00e1nicos durante el an\u00e1lisis de un archivo de configuraci\u00f3n pueden introducir ambig\u00fcedad y vulnerabilidades, dificultando la correcta interpretaci\u00f3n y configuraci\u00f3n del servidor web."}], "lastModified": "2024-11-21T08:54:32.820", "sourceIdentifier": "report@snyk.io"}

5.3 /10