CVE-2024-21497 - Vulnerability Details - OpenCVE

All versions of the package github.com/greenpau/caddy-security are vulnerable to Open Redirect via the redirect_url parameter. An attacker could perform a phishing attack and trick users into visiting a malicious website by crafting a convincing URL with this parameter. To exploit this vulnerability, the user must take an action, such as clicking on a portal button or using the browser’s back button, to trigger the redirection.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/
https://github.com/greenpau/caddy-security/issues/268
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249861

History

No history.

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2024-02-17T05:00:04.298Z

Updated: 2024-08-15T17:51:11.026Z

Reserved: 2023-12-22T12:33:20.118Z

Link: CVE-2024-21497

Vulnrichment

Updated: 2024-08-01T22:20:40.785Z

NVD

Status : Awaiting Analysis

Published: 2024-02-17T05:15:09.863

Modified: 2024-11-21T08:54:33.400

Link: CVE-2024-21497

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21497", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2023-12-22T12:33:20.118Z", "datePublished": "2024-02-17T05:00:04.298Z", "dateUpdated": "2024-08-15T17:51:11.026Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P"}}], "credits": [{"value": "Maciej Domanski", "lang": "en"}, {"value": "Travis Peters", "lang": "en"}, {"value": "David Pokora", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "description": "Open Redirect", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2024-03-06T14:09:46.603Z"}, "descriptions": [{"value": "All versions of the package github.com/greenpau/caddy-security are vulnerable to Open Redirect via the redirect_url parameter. An attacker could perform a phishing attack and trick users into visiting a malicious website by crafting a convincing URL with this parameter. To exploit this vulnerability, the user must take an action, such as clicking on a portal button or using the browser\u2019s back button, to trigger the redirection.", "lang": "en"}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249861"}, {"url": "https://github.com/greenpau/caddy-security/issues/268"}, {"url": "https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/"}], "affected": [{"product": "github.com/greenpau/caddy-security", "versions": [{"version": "0", "lessThan": "*", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:20:40.785Z"}, "title": "CVE Program Container", "references": [{"url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249861", "tags": ["x_transferred"]}, {"url": "https://github.com/greenpau/caddy-security/issues/268", "tags": ["x_transferred"]}, {"url": "https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-15T17:51:00.960219Z", "id": "CVE-2024-21497", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-15T17:51:11.026Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249861", "tags": ["x_transferred"]}, {"url": "https://github.com/greenpau/caddy-security/issues/268", "tags": ["x_transferred"]}, {"url": "https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:20:40.785Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-21497", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-15T17:51:00.960219Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-15T17:51:06.638Z"}}], "cna": {"credits": [{"lang": "en", "value": "Maciej Domanski"}, {"lang": "en", "value": "Travis Peters"}, {"lang": "en", "value": "David Pokora"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "n/a", "product": "github.com/greenpau/caddy-security", "versions": [{"status": "affected", "version": "0", "lessThan": "*", "versionType": "semver"}]}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249861"}, {"url": "https://github.com/greenpau/caddy-security/issues/268"}, {"url": "https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/"}], "descriptions": [{"lang": "en", "value": "All versions of the package github.com/greenpau/caddy-security are vulnerable to Open Redirect via the redirect_url parameter. An attacker could perform a phishing attack and trick users into visiting a malicious website by crafting a convincing URL with this parameter. To exploit this vulnerability, the user must take an action, such as clicking on a portal button or using the browser\u2019s back button, to trigger the redirection."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-601", "description": "Open Redirect"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2024-03-06T14:09:46.603Z"}}}, "cveMetadata": {"cveId": "CVE-2024-21497", "state": "PUBLISHED", "dateUpdated": "2024-08-15T17:51:11.026Z", "dateReserved": "2023-12-22T12:33:20.118Z", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "datePublished": "2024-02-17T05:00:04.298Z", "assignerShortName": "snyk"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "All versions of the package github.com/greenpau/caddy-security are vulnerable to Open Redirect via the redirect_url parameter. An attacker could perform a phishing attack and trick users into visiting a malicious website by crafting a convincing URL with this parameter. To exploit this vulnerability, the user must take an action, such as clicking on a portal button or using the browser\u2019s back button, to trigger the redirection."}, {"lang": "es", "value": "Todas las versiones del paquete github.com/greenpau/caddy-security son vulnerables a Open Redirect a trav\u00e9s del par\u00e1metro redirect_url. Un atacante podr\u00eda realizar un ataque de phishing y enga\u00f1ar a los usuarios para que visiten un sitio web malicioso creando una URL convincente con este par\u00e1metro. Para aprovechar esta vulnerabilidad, el usuario debe realizar una acci\u00f3n, como hacer clic en un bot\u00f3n del portal o usar el bot\u00f3n atr\u00e1s del navegador, para activar la redirecci\u00f3n."}], "id": "CVE-2024-21497", "lastModified": "2024-11-21T08:54:33.400", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2024-02-17T05:15:09.863", "references": [{"source": "report@snyk.io", "url": "https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/"}, {"source": "report@snyk.io", "url": "https://github.com/greenpau/caddy-security/issues/268"}, {"source": "report@snyk.io", "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249861"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/greenpau/caddy-security/issues/268"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249861"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "report@snyk.io", "type": "Secondary"}]}