Remote Admin Authorization Bypass in `/config` API via Array Index Normalization
Summary
Caddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the authorization layer and the /config traversal layer do not agree on what object the path refers to. In this case, a path authorized for one config object is accepted, but then resolves to a different config object during traversal. This happens because the authorization layer uses string prefix matching and the /config traversal layer parses array indices numerically using strconv.Atoi(). This vulnerability is fixed in 2.11.3. A remote administrator with restricted access to specific configuration objects could bypass these limitations. This discrepancy allows an attacker to read and modify unauthorized configuration elements, undermining the principle of least privilege in remote administration. This Moderate-impact flaw in Caddy's remote administration API, which allows an authorization bypass due to differing interpretations of array indices, does not affect Red Hat products. The vulnerable code is not present in Red Hat's supported offerings. Red Hat severity: Moderate — CVSS 3.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N). Weakness: CWE-551. Red Hat lists Red Hat Hardened Images as not affected.
Mitigation checklist
- Mitigation for this issue is not required for Red Hat products, as the vulnerable code is not present.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.