caddy.advisories.yaml

schema-version: 2.0.2

package:
  name: caddy

advisories:
  - id: CGA-23gr-ph4g-w7pj
    aliases:
      - CVE-2024-22189
      - GHSA-c33x-xqrf-c478
    events:
      - timestamp: 2024-04-04T05:18:19Z
        type: fixed
        data:
          fixed-version: 2.7.6-r6

  - id: CGA-24j9-x3hc-87r9
    aliases:
      - CVE-2023-39325
      - GHSA-4374-p667-p6c8
    events:
      - timestamp: 2023-10-13T12:35:19Z
        type: fixed
        data:
          fixed-version: 2.7.5-r0

  - id: CGA-2g4x-vmmf-2cvp
    aliases:
      - CVE-2023-45289
      - GHSA-32ch-6x54-q4h9
    events:
      - timestamp: 2024-03-13T07:13:49Z
        type: fixed
        data:
          fixed-version: 2.7.6-r3

  - id: CGA-2pf3-f55f-jmwq
    aliases:
      - CVE-2024-24788
      - GHSA-2jwv-jmq4-4j3r
    events:
      - timestamp: 2024-05-14T08:31:30Z
        type: fixed
        data:
          fixed-version: 2.7.6-r9

  - id: CGA-2vf6-pgvh-rm3w
    aliases:
      - CVE-2024-24786
      - GHSA-8r3f-844c-mc37
    events:
      - timestamp: 2024-03-14T16:18:53Z
        type: fixed
        data:
          fixed-version: 2.7.6-r4

  - id: CGA-5592-735q-fj8r
    aliases:
      - GHSA-7jwh-3vrq-q3m8
    events:
      - timestamp: 2024-03-16T07:07:09Z
        type: fixed
        data:
          fixed-version: 2.7.6-r4

  - id: CGA-66qc-6xpc-f7rj
    aliases:
      - CVE-2023-45288
      - GHSA-4v7x-pqxf-cx7m
    events:
      - timestamp: 2024-04-20T23:02:31Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: caddy
            componentID: 92c216fb023b067e
            componentName: golang.org/x/net
            componentVersion: v0.21.0
            componentType: go-module
            componentLocation: /usr/bin/caddy
            scanner: grype
      - timestamp: 2024-04-23T17:01:38Z
        type: fixed
        data:
          fixed-version: 2.7.6-r8

  - id: CGA-67vm-vwp8-2pcr
    aliases:
      - CVE-2024-24791
      - GHSA-hw49-2p59-3mhj
    events:
      - timestamp: 2024-07-05T08:24:31Z
        type: fixed
        data:
          fixed-version: 2.8.4-r2

  - id: CGA-75j3-c8q9-r6qm
    aliases:
      - CVE-2023-45142
      - GHSA-rcjv-mgp8-qvmr
    events:
      - timestamp: 2023-10-19T12:20:51Z
        type: fixed
        data:
          fixed-version: 2.7.5-r1

  - id: CGA-76mq-wf68-hc2j
    aliases:
      - CVE-2023-45283
      - GHSA-vvjp-q62m-2vph
    events:
      - timestamp: 2023-11-07T19:23:48Z
        type: false-positive-determination
        data:
          type: vulnerable-code-not-included-in-package
          note: Only affects Windows

  - id: CGA-7c9g-x4f4-fpc8
    aliases:
      - CVE-2022-28923
      - GHSA-qpm3-vr34-h8w8
    events:
      - timestamp: 2024-04-26T09:06:59Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: caddy
            componentID: a43d8f418b6d95f9
            componentName: github.com/caddyserver/caddy/v2
            componentVersion: v0.0.0-20231207202621-6d9a83376b5e
            componentType: go-module
            componentLocation: /usr/bin/caddy
            scanner: grype
      - timestamp: 2024-05-04T17:06:11Z
        type: false-positive-determination
        data:
          type: vulnerable-code-version-not-used
          note: 'Module "github.com/caddyserver/caddy/v2" at "/usr/bin/caddy": the commit of the fixed version (c7d6c4cbb951f7db87fc5aebf8382aeeca6c9f1d) is an ancestor of installed commit (6d9a83376b5e19b3c0368541ee46044ab284038b), which means the installed version was misidentified by the scanner and the vulnerability has actually been fixed.'

  - id: CGA-994f-v4h6-78hg
    aliases:
      - CVE-2023-45290
      - GHSA-rr6r-cfgf-gc6h
    events:
      - timestamp: 2024-03-13T07:13:50Z
        type: fixed
        data:
          fixed-version: 2.7.6-r3

  - id: CGA-9wj7-r529-67q5
    aliases:
      - CVE-2023-49295
      - GHSA-ppxx-5m9h-6vxf
    events:
      - timestamp: 2024-01-12T07:23:44Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: caddy
            componentID: fc1cc663e131c0cf
            componentName: github.com/quic-go/quic-go
            componentVersion: v0.40.0
            componentType: go-module
            componentLocation: /usr/bin/caddy
            scanner: grype
      - timestamp: 2024-01-24T07:10:08Z
        type: fixed
        data:
          fixed-version: 2.7.6-r2

  - id: CGA-9ww3-g338-r292
    aliases:
      - CVE-2024-24783
      - GHSA-3q2c-pvp5-3cqp
    events:
      - timestamp: 2024-03-13T07:13:46Z
        type: fixed
        data:
          fixed-version: 2.7.6-r3

  - id: CGA-jc62-q4jj-v2ww
    aliases:
      - CVE-2024-24790
      - GHSA-49gw-vxvf-fc2g
    events:
      - timestamp: 2024-06-07T11:13:44Z
        type: fixed
        data:
          fixed-version: 2.8.4-r1

  - id: CGA-pf5w-9mcq-4p9c
    aliases:
      - CVE-2024-27304
      - GHSA-mrww-27vc-gghv
    events:
      - timestamp: 2024-03-16T07:07:10Z
        type: fixed
        data:
          fixed-version: 2.7.6-r4

  - id: CGA-pqqq-w7px-8j2f
    aliases:
      - CVE-2024-24787
      - GHSA-5fq7-4mxc-535h
    events:
      - timestamp: 2024-05-14T08:31:27Z
        type: fixed
        data:
          fixed-version: 2.7.6-r9

  - id: CGA-qc6h-xrfq-wppr
    aliases:
      - CVE-2023-48795
      - GHSA-45x7-px36-x8w8
    events:
      - timestamp: 2023-12-29T21:28:59Z
        type: fixed
        data:
          fixed-version: 2.7.6-r1

  - id: CGA-qgh7-pq5g-c3gg
    aliases:
      - CVE-2023-45284
      - GHSA-rq3x-83w4-p28c
    events:
      - timestamp: 2023-11-07T19:23:50Z
        type: false-positive-determination
        data:
          type: vulnerable-code-not-included-in-package
          note: Only affects Windows

  - id: CGA-r3px-hvxq-8cvm
    aliases:
      - CVE-2024-24785
      - GHSA-j6m3-gc37-6r6q
    events:
      - timestamp: 2024-03-13T07:13:48Z
        type: fixed
        data:
          fixed-version: 2.7.6-r3

  - id: CGA-r5vc-jhjr-4cx3
    aliases:
      - CVE-2024-24784
      - GHSA-fgq5-q76c-gx78
    events:
      - timestamp: 2024-03-13T07:13:47Z
        type: fixed
        data:
          fixed-version: 2.7.6-r3

  - id: CGA-r658-xp46-5m89
    aliases:
      - CVE-2024-34158
      - GHSA-j7vj-rw65-4v26
    events:
      - timestamp: 2024-09-10T16:41:01Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: caddy
            componentID: 59fa376731aaa40b
            componentName: stdlib
            componentVersion: go1.22.5
            componentType: go-module
            componentLocation: /usr/bin/caddy
            scanner: grype
      - timestamp: 2024-09-12T18:04:19Z
        type: fixed
        data:
          fixed-version: 2.8.4-r3

  - id: CGA-r9m8-hh43-fv4w
    aliases:
      - CVE-2024-24789
      - GHSA-236w-p7wf-5ph8
    events:
      - timestamp: 2024-06-07T11:13:38Z
        type: fixed
        data:
          fixed-version: 2.8.4-r1

  - id: CGA-v7q2-6hjg-p94v
    aliases:
      - CVE-2024-34156
      - GHSA-crqm-pwhx-j97f
    events:
      - timestamp: 2024-09-10T16:40:54Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: caddy
            componentID: 59fa376731aaa40b
            componentName: stdlib
            componentVersion: go1.22.5
            componentType: go-module
            componentLocation: /usr/bin/caddy
            scanner: grype
      - timestamp: 2024-09-12T18:04:18Z
        type: fixed
        data:
          fixed-version: 2.8.4-r3

  - id: CGA-vf36-h2mc-cvv4
    aliases:
      - CVE-2024-27289
      - GHSA-m7wr-2xf7-cm9p
    events:
      - timestamp: 2024-03-13T08:29:10Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: caddy
            componentID: 1b322509c1c42ee5
            componentName: github.com/jackc/pgx/v4
            componentVersion: v4.18.0
            componentType: go-module
            componentLocation: /usr/bin/caddy
            scanner: grype
      - timestamp: 2024-03-14T16:18:55Z
        type: fixed
        data:
          fixed-version: 2.7.6-r4

  - id: CGA-vf8r-rq64-x8j5
    aliases:
      - CVE-2024-34155
      - GHSA-8xfx-rj4p-23jm
    events:
      - timestamp: 2024-09-10T16:40:47Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: caddy
            componentID: 59fa376731aaa40b
            componentName: stdlib
            componentVersion: go1.22.5
            componentType: go-module
            componentLocation: /usr/bin/caddy
            scanner: grype
      - timestamp: 2024-09-12T18:04:19Z
        type: fixed
        data:
          fixed-version: 2.8.4-r3

  - id: CGA-x6wv-g666-wr84
    aliases:
      - CVE-2022-29718
      - GHSA-2927-hv3p-f3vp
    events:
      - timestamp: 2024-04-26T09:06:57Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: caddy
            componentID: a43d8f418b6d95f9
            componentName: github.com/caddyserver/caddy/v2
            componentVersion: v0.0.0-20231207202621-6d9a83376b5e
            componentType: go-module
            componentLocation: /usr/bin/caddy
            scanner: grype
      - timestamp: 2024-05-04T17:06:11Z
        type: false-positive-determination
        data:
          type: vulnerable-code-version-not-used
          note: 'Module "github.com/caddyserver/caddy/v2" at "/usr/bin/caddy": the commit of the fixed version (a8bb4a665af358f61a7ac0eabac8df2110cb6a36) is an ancestor of installed commit (6d9a83376b5e19b3c0368541ee46044ab284038b), which means the installed version was misidentified by the scanner and the vulnerability has actually been fixed.'