Description

The Caddy web server is an open-source load balancer, reverse proxy, web server written in Go.

Caddy is dynamically configurable with a RESTful JSON API. Acunetix determined that it was possible to access this REST interface without authentication.

Remediation

Restrict access to the Caddy API interface.

References

OWASP Authentication Cheat Sheet

API

Related Vulnerabilities

Payara Micro File Read (CVE-2021-41381)

Generic Email Address Disclosure

WordPress Plugin Wholesale Market Arbitrary File Download (2.2.0)

WordPress Plugin Jetpack-WP Security, Backup, Speed, & Growth Information Disclosure (9.7.1)

XWiki Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2021-32731)

Severity

High

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Information Disclosure Configuration