CVE-2022-23469
published 2022-12-08CVE-2022-23469: Traefik is an open source HTTP reverse proxy and load balancer. Versions prior to 2.9.6 are subject to a potential vulnerability in Traefik displaying the…
PriorityP336medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.98%
57.7th percentile
Traefik is an open source HTTP reverse proxy and load balancer. Versions prior to 2.9.6 are subject to a potential vulnerability in Traefik displaying the Authorization header in its debug logs. In certain cases, if the log level is set to DEBUG, credentials provided using the Authorization header are displayed in the debug logs. Attackers must have access to a users logging system in order for credentials to be stolen. This issue has been addressed in version 2.9.6. Users are advised to upgrade. Users unable to upgrade may set the log level to `INFO`, `WARN`, or `ERROR`.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | traefik_traefik_v2 | >= 0 < 2.9.6 | 2.9.6 |
| traefik | traefik | < 2.9.6 | 2.9.6 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Traefik may display authorization header in the debug logs in github.com/traefik/traefik
osv·2024-08-21
CVE-2022-23469 Traefik may display authorization header in the debug logs in github.com/traefik/traefik
Traefik may display authorization header in the debug logs in github.com/traefik/traefik
Traefik may display authorization header in the debug logs in github.com/traefik/traefik
GHSA
Traefik may display authorization header in the debug logs
ghsa·2022-12-08
CVE-2022-23469 [LOW] CWE-200 Traefik may display authorization header in the debug logs
Traefik may display authorization header in the debug logs
### Impact
There is a potential vulnerability in Traefik displaying the Authorization header in its debug logs.
Traefik uses [oxy](https://github.com/vulcand/oxy) to provide the following features:
- Round Robin: https://doc.traefik.io/traefik/routing/services/#weighted-round-robin-service
- Buffering: https://doc.traefik.io/traefik/middlewares/http/buffering/
- Circuit Breaker: https://doc.traefik.io/traefik/middlewares/http/circuitbreaker/
- In-Flight Requests: https://doc.traefik.io/traefik/middlewares/http/inflightreq/
In such cases, if the log level is set to DEBUG, the credentials provided using the Authorization header are displayed in the debug logs:
```
level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp
OSV
Traefik may display authorization header in the debug logs
osv·2022-12-08
CVE-2022-23469 [LOW] Traefik may display authorization header in the debug logs
Traefik may display authorization header in the debug logs
### Impact
There is a potential vulnerability in Traefik displaying the Authorization header in its debug logs.
Traefik uses [oxy](https://github.com/vulcand/oxy) to provide the following features:
- Round Robin: https://doc.traefik.io/traefik/routing/services/#weighted-round-robin-service
- Buffering: https://doc.traefik.io/traefik/middlewares/http/buffering/
- Circuit Breaker: https://doc.traefik.io/traefik/middlewares/http/circuitbreaker/
- In-Flight Requests: https://doc.traefik.io/traefik/middlewares/http/inflightreq/
In such cases, if the log level is set to DEBUG, the credentials provided using the Authorization header are displayed in the debug logs:
```
level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/traefik/traefik/pull/9574https://github.com/traefik/traefik/releases/tag/v2.9.6https://github.com/traefik/traefik/security/advisories/GHSA-h2ph-vhm7-g4hphttps://github.com/traefik/traefik/pull/9574https://github.com/traefik/traefik/releases/tag/v2.9.6https://github.com/traefik/traefik/security/advisories/GHSA-h2ph-vhm7-g4hp
2022-12-08
Published