CVE-2022-28923: 
NixOS vulnerability analysis and mitigation

Caddy v2.4.6 contains an open redirection vulnerability (CVE-2022-28923) that allows attackers to redirect users to phishing websites through crafted URLs. The vulnerability was discovered in April 2022 and affects specifically version 2.4.6 of the Caddy web server (Lednerb Advisory).

The vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site) with a CVSS v3.1 base score of 6.1 (Medium). The attack vector requires no privileges (PR:N) and network access (AV:N), with user interaction required (UI:R). The vulnerability can be triggered by navigating to the web server with a specifically crafted path containing encoded characters: /%5C%5Cexample.com/%252e%252e%252f, which results in a HTTP Status Code 308 redirect (NVD Database, Lednerb Advisory).

The vulnerability allows attackers to redirect users to malicious websites, potentially enabling phishing attacks. When successfully exploited, it can lead to users being redirected to untrusted sites, compromising their security and potentially exposing them to further attacks (NVD Database).

The vulnerability was fixed in commit 78b5356f2b1945a90de1ef7f2c7669d82098edbd and is available in version v2.5.0. Server administrators are recommended to upgrade Caddy to the latest version to mitigate this vulnerability (Lednerb Advisory).