CVE-2024-21492: 
vulnerability analysis and mitigation

The caddy-security plugin for Caddy web server contains a vulnerability (CVE-2024-21492) related to insufficient session expiration. The vulnerability affects all versions of the package github.com/greenpau/caddy-security. The issue was discovered and disclosed on September 18, 2023, by security researchers from Trail of Bits (Trail of Bits Blog).

The vulnerability stems from improper user session invalidation when users click the "Sign Out" button. User sessions remain valid even after requests are sent to /logout and /oauth2/google/logout endpoints. The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N, indicating it is network accessible but requires high attack complexity (Snyk).

Attackers who gain access to an active but supposedly logged-out session can perform unauthorized actions on behalf of the user. This could lead to unauthorized access to resources and potential impersonation of the logged-out user (Trail of Bits Blog, GitHub Issue).

To address this issue, it is recommended to review the sign-out process to identify the cause of the unexpected behavior. The /oauth2/google/logout endpoint should be modified to correctly terminate the user session and invalidate the associated tokens. For additional security, implementers should follow the OWASP Application Security Verification Standard (V3 Session Management) to ensure secure session handling (GitHub Issue).

The vulnerability was initially reported to the caddy-security plugin maintainers on August 7, 2023. The maintainers confirmed on August 23, 2023, that there were no near-term plans to act on the reported vulnerabilities. The issue was subsequently publicly disclosed on September 18, 2023, as part of a larger security audit that revealed multiple vulnerabilities in the plugin (Trail of Bits Blog).