Open shahar-davidson opened 2 weeks ago
Having the exact same issue
IMO that CVE is way overclassified. It's not that severe at all. It's just a minor bug. I'm pretty sure it's not a problem for any Caddy users, we don't check if an IP is loopback in security sensitive contexts. If someone can show a case where that can happen, then it would be more of a concern.
That's true - it's seems overclassified for Caddy. But if a newer Caddy image can be created with a bumped Golang version then that would be nice.
As of today, the latest Caddy 2.8.4 for Alpine contains a security vulnerability that is ranked as Critical: CVE-2024-24790 (published on June 4, 2024)
This vulnerability appears to have been fixed already in the latest golang:1.22 for Alpine image.
Therefore, caddy image needs to be recreated with the latest Golang image (1.22.4 or later)