Security flaws in an SSO plugin for Caddy
blog.trailofbits.comNice that the post includes a timeline - but considering some of these issues (broken rng, brute force of otp) - it's deeply concerning that the issues won't be fixed?
> August 7, 2023: We reported our findings to the caddy-security plugin maintainers.
> August 23, 2023: The caddy-security plugin maintainers confirmed that there were no near-term plans to act on the reported vulnerabilities.
Both the bug list and the reaction to it are deeply concerning, if you are depending on this project - but I don't know how much real world use this code gets.
Shows that reviewing dependencies is not optional. Hundreds of stars on GitHub is not a helpful data point, even if my own monkey brain says otherwise.
Paul is a bit burnt out and busy with his day job.