{"id":"GHSA-r969-783f-6jqr","summary":"Improper Neutralization of HTTP Headers in github.com/greenpau/caddy-security","details":"All versions of the package github.com/greenpau/caddy-security are vulnerable to HTTP Header Injection via the X-Forwarded-Proto header due to redirecting to the injected protocol.Exploiting this vulnerability could lead to bypass of security mechanisms or confusion in handling TLS.","aliases":["CVE-2024-21499","GO-2024-2562"],"modified":"2024-06-28T15:58:33.903059Z","published":"2024-02-17T06:30:35Z","database_specific":{"cwe_ids":["CWE-644"],"nvd_published_at":"2024-02-17T05:15:10Z","github_reviewed_at":"2024-02-20T23:48:04Z","severity":"MODERATE","github_reviewed":true},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21499"},{"type":"WEB","url":"https://github.com/greenpau/caddy-security/issues/270"},{"type":"WEB","url":"https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy"},{"type":"WEB","url":"https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249863"},{"type":"PACKAGE","url":"github.com/greenpau/caddy-security"}],"affected":[{"package":{"name":"github.com/greenpau/caddy-security","ecosystem":"Go","purl":"pkg:golang/github.com/greenpau/caddy-security"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"last_affected":"1.1.23"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-r969-783f-6jqr/GHSA-r969-783f-6jqr.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"}]}