Description

The Caddy web server is an open-source load balancer, reverse proxy, web server written in Go.

Caddy is dynamically configurable with a RESTful JSON API. Acunetix determined that it was possible to access this REST interface without authentication.

Remediation

Restrict access to the Caddy API interface.

References

OWASP Authentication Cheat Sheet

API

Related Vulnerabilities

WordPress 5.5.x Multiple Vulnerabilities (5.5 - 5.5.3)

WordPress Plugin BulletProof Security Information Disclosure (5.1)

[Possible] Internal Path Disclosure (*nix)

WordPress Plugin Organizer Multiple Cross-Site Scripting and Information Disclosure Vulnerabilities (1.2.1)

Jetty Information Disclosure (CVE-2021-34429)

Severity

High

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Information Disclosure Configuration