Description

The Caddy web server is an open-source load balancer, reverse proxy, web server written in Go.

Caddy is dynamically configurable with a RESTful JSON API. Acunetix determined that it was possible to access this REST interface without authentication.

Remediation

Restrict access to the Caddy API interface.

References

OWASP Authentication Cheat Sheet

API

Related Vulnerabilities

Joomla! Core 1.6.x Information Disclosure (1.6.0 - 1.6.3)

WordPress 5.4.x Multiple Vulnerabilities (5.4 - 5.4.6)

WordPress 3.4 Multiple Vulnerabilities (3.4)

Squid Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-10003)

WordPress Plugin WP Import Export Lite Information Disclosure (3.9.15)

Severity

High

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Information Disclosure Configuration