CVE-2022-23469 — Sensitive Information Exposure in Traefik

CWE-200 — Sensitive Information Exposure CWE-532 — Log File Information Exposure5 documents4 sources

Severity

6.5MEDIUMNVD

CNA3.5

EPSS

0.5%

top 33.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Traefik Github.com Traefik Traefik V2

Timeline

PublishedDec 8

Latest updateAug 21

Description

Traefik is an open source HTTP reverse proxy and load balancer. Versions prior to 2.9.6 are subject to a potential vulnerability in Traefik displaying the Authorization header in its debug logs. In certain cases, if the log level is set to DEBUG, credentials provided using the Authorization header are displayed in the debug logs. Attackers must have access to a users logging system in order for credentials to be stolen. This issue has been addressed in version 2.9.6. Users are advised to upgrade…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5traefik/traefik< 2.9.6

▶NVDtraefik/traefik< 2.9.6

▶Gogithub.com/traefik_traefik_v2< 2.9.6

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Traefik may display authorization header in the debug logs in github.com/traefik/traefik↗2024-08-21

▶

GHSA

Traefik may display authorization header in the debug logs↗2022-12-08

▶

OSV

Traefik may display authorization header in the debug logs↗2022-12-08

▶

CVEList

Authorization header displayed in the debug logs↗2022-12-08

▶