CVE-2024-21499: 
vulnerability analysis and mitigation

CVE-2024-21499 affects all versions of the github.com/greenpau/caddy-security package, which is a security plugin for the Caddy web server. The vulnerability was discovered and disclosed on September 18, 2023, by security researchers at Trail of Bits during their evaluation of Caddy deployed as a reverse proxy (Trail of Bits, Snyk).

The vulnerability is an HTTP Header Injection that occurs via the X-Forwarded-Proto header. The issue arises because the plugin redirects to the injected protocol without proper validation. The CVSS v3.1 base score is 4.3 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N (NVD).

Exploitation of this vulnerability could lead to bypass of security mechanisms or confusion in handling TLS. The vulnerability allows attackers to manipulate the protocol used in redirections, which could potentially compromise the security of the communication channel (Snyk).

The recommended mitigation is to avoid relying on the X-Forwarded-Proto header. If the header must be used, implement validation of the X-Forwarded-Proto header value against an allowlist of accepted protocols (e.g., HTTP/HTTPS) and reject any unexpected values (GitHub Issue).

The vulnerability was initially reported to the caddy-security plugin maintainers on August 7, 2023. On August 23, 2023, the maintainers confirmed that there were no near-term plans to address the reported vulnerabilities. The findings were subsequently publicly disclosed on September 18, 2023 (Trail of Bits).