CVE-2019-12452Insufficiently Protected Credentials in Traefik Traefik

CWE-522Insufficiently Protected Credentials5 documents4 sources
Severity
7.5HIGHNVD
EPSS
0.3%
top 43.31%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Github.com Traefik TraefikTraefik
Timeline
PublishedMay 29
Latest updateAug 20

Description

types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API is publicly reachable and exposed without sufficient access control (which is contrary to the API documentation), allows remote authenticated users to discover password hashes by reading the Basic HTTP Authentication or Digest HTTP Authentication section, or discover a key by reading the ClientTLS section. These can be found in the JSON response to a /api request.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages2 packages

Gogithub.com/traefik_traefik1.7.01.7.12
NVDtraefik/traefik1.7.01.7.11

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
Containous Traefik Exposes Password Hashes in github.com/traefik/traefik2024-08-20
OSV
Containous Traefik Exposes Password Hashes2022-05-24
GHSA
Containous Traefik Exposes Password Hashes2022-05-24
CVEList
CVE-2019-12452: types/types2019-05-29
CVE-2019-12452 — Insufficiently Protected Credentials | cvebase