CVE-2022-23632Improper Certificate Validation in Traefik

CWE-295Improper Certificate Validation7 documents5 sources
Severity
7.5HIGHNVD
CNA7.4
EPSS
0.6%
top 31.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
TraefikGithub.com Traefik Traefik V2Oracle Communications Unified Inventory Management
Timeline
PublishedFeb 17
Latest updateAug 21

Description

Traefik is an HTTP reverse proxy and load balancer. Prior to version 2.6.1, Traefik skips the router transport layer security (TLS) configuration when the host header is a fully qualified domain name (FQDN). For a request, the TLS configuration choice can be different than the router choice, which implies the use of a wrong TLS configuration. When sending a request using FQDN handled by a router configured with a dedicated TLS configuration, the TLS configuration falls back to the default config

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

CVEListV5traefik/traefik< 2.6.1
NVDtraefik/traefik< 2.6.1

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
Skip the router TLS configuration when the host header is an FQDN in github.com/traefik/traefik2024-08-21
CVEList
Traefik skips the router TLS configuration when the host header is an FQDN2022-02-17
OSV
Skip the router TLS configuration when the host header is an FQDN2022-02-16
GHSA
Skip the router TLS configuration when the host header is an FQDN2022-02-16

📋Vendor Advisories

2
Oracle
Oracle Oracle Communications Applications Risk Matrix: Security (Traefik) — CVE-2022-236322022-10-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: Cloud Native (Traefik) — CVE-2022-236322022-07-15
CVE-2022-23632 — Improper Certificate Validation | cvebase