CVE-2022-46153Improper Certificate Validation in Traefik

CWE-295Improper Certificate Validation6 documents5 sources
Severity
6.5MEDIUMNVD
CNA8.1
EPSS
0.4%
top 39.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
TraefikGithub.com Traefik Traefik V2
Timeline
PublishedDec 8
Latest updateAug 21

Description

Traefik is an open source HTTP reverse proxy and load balancer. In affected versions there is a potential vulnerability in Traefik managing TLS connections. A router configured with a not well-formatted TLSOption is exposed with an empty TLSOption. For instance, a route secured using an mTLS connection set with a wrong CA file is exposed without verifying the client certificates. Users are advised to upgrade to version 2.9.6. Users unable to upgrade should check their logs to detect the error me

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

CVEListV5traefik/traefik< 2.9.6
NVDtraefik/traefik< 2.9.6

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
Traefik routes exposed with an empty TLSOption in github.com/traefik/traefik2024-08-21
CVEList
Routes exposed with an empty TLSOption in traefik2022-12-08
GHSA
Traefik routes exposed with an empty TLSOption2022-12-08
OSV
Traefik routes exposed with an empty TLSOption2022-12-08

📋Vendor Advisories

1
Oracle
Oracle Oracle Communications Applications Risk Matrix: Security (Traefik) — CVE-2022-461532023-07-15
CVE-2022-46153 — Improper Certificate Validation | cvebase