CVE-2024-21494 MEDIUM

CVE-2024-21494

Vendor N/A
Product github.com/greenpau/caddy-security
Weakness CWE-290
Published February 17, 2024
Last update April 24, 2025

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P

What the vulnerability does

01Description

All versions of the package github.com/greenpau/caddy-security are vulnerable to Authentication Bypass by Spoofing via the X-Forwarded-For header due to improper input sanitization. An attacker can spoof an IP address used in the user identity module (/whoami API endpoint). This could lead to unauthorized access if the system trusts this spoofed IP address.

Key dates

02Disclosure timeline

February 17, 2024 CVE published
April 24, 2025 Record updated