Traefik vulnerabilities

CVE-2023-47124 [MEDIUM] CWE-772 CVE-2023-47124: Traefik is an open source HTTP reverse proxy and load balancer. When Traefik is configured to use th Traefik is an open source HTTP reverse proxy and load balancer. When Traefik is configured to use the `HTTPChallenge` to generate and renew the Let's Encrypt TLS certificates, the delay authorized to solve the challenge (50 seconds) can be exploited by attackers to achieve a `slowloris attack`. This vulnerability has been patch in version 2.10.6 and

CVE-2023-47106 [MEDIUM] CWE-20 CVE-2023-47106: Traefik is an open source HTTP reverse proxy and load balancer. When a request is sent to Traefik wi Traefik is an open source HTTP reverse proxy and load balancer. When a request is sent to Traefik with a URL fragment, Traefik automatically URL encodes and forwards the fragment to the backend server. This violates RFC 7230 because in the origin-form the URL should only contain the absolute path and the query. When this is combined with another fron

CVE-2023-44487 [HIGH] CWE-400 CVE-2023-44487: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancell The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CVE-2023-29013 [HIGH] CWE-400 CVE-2023-29013: Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer for deploying microser Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer for deploying microservices. There is a vulnerability in Go when parsing the HTTP headers, which impacts Traefik. HTTP header parsing could allocate substantially more memory than required to hold the parsed headers. This behavior could be exploited to cause a denial of serv

CVE-2022-46153 [MEDIUM] CWE-295 CVE-2022-46153: Traefik is an open source HTTP reverse proxy and load balancer. In affected versions there is a pote Traefik is an open source HTTP reverse proxy and load balancer. In affected versions there is a potential vulnerability in Traefik managing TLS connections. A router configured with a not well-formatted TLSOption is exposed with an empty TLSOption. For instance, a route secured using an mTLS connection set with a wrong CA file is exposed without ver

CVE-2022-23469 [MEDIUM] CWE-200 CVE-2022-23469: Traefik is an open source HTTP reverse proxy and load balancer. Versions prior to 2.9.6 are subject Traefik is an open source HTTP reverse proxy and load balancer. Versions prior to 2.9.6 are subject to a potential vulnerability in Traefik displaying the Authorization header in its debug logs. In certain cases, if the log level is set to DEBUG, credentials provided using the Authorization header are displayed in the debug logs. Attackers must have

CVE-2022-39271 [HIGH] CWE-400 CVE-2022-39271: Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer that assists in deploy Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer that assists in deploying microservices. There is a potential vulnerability in Traefik managing HTTP/2 connections. A closing HTTP/2 server connection could hang forever because of a subsequent fatal error. This failure mode could be exploited to cause a denial of service. T

CVE-2022-23632 [HIGH] CWE-295 CVE-2022-23632: Traefik is an HTTP reverse proxy and load balancer. Prior to version 2.6.1, Traefik skips the router Traefik is an HTTP reverse proxy and load balancer. Prior to version 2.6.1, Traefik skips the router transport layer security (TLS) configuration when the host header is a fully qualified domain name (FQDN). For a request, the TLS configuration choice can be different than the router choice, which implies the use of a wrong TLS configuration. When sen

CVE-2021-32813 [HIGH] CWE-913 CVE-2021-32813: Traefik is an HTTP reverse proxy and load balancer. Prior to version 2.4.13, there exists a potentia Traefik is an HTTP reverse proxy and load balancer. Prior to version 2.4.13, there exists a potential header vulnerability in Traefik's handling of the Connection header. Active exploitation of this issue is unlikely, as it requires that a removed header would lead to a privilege escalation, however, the Traefik team has addressed this issue to preven

CVE-2020-15129 [MEDIUM] CWE-601 CVE-2020-15129: In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vuln In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik's handling of the "X-Forwarded-Prefix" header. The Traefik API dashboard component doesn't validate that the value of the header "X-Forwarded-Prefix" is a site relative path and will redirect to any header provided URI. Successful

CVE-2019-20894 [HIGH] CWE-295 CVE-2019-20894: Traefik 2.x, in certain configurations, allows HTTPS sessions to proceed without mutual TLS verifica Traefik 2.x, in certain configurations, allows HTTPS sessions to proceed without mutual TLS verification in a situation where ERR_BAD_SSL_CLIENT_AUTH_CERT should have occurred.

CVE-2020-9321 [HIGH] CWE-295 CVE-2020-9321: configurationwatcher.go in Traefik 2.x before 2.1.4 and TraefikEE 2.0.0 mishandles the purging of ce configurationwatcher.go in Traefik 2.x before 2.1.4 and TraefikEE 2.0.0 mishandles the purging of certificate contents from providers before logging.

CVE-2019-12452 [HIGH] CWE-522 CVE-2019-12452: types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API i types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API is publicly reachable and exposed without sufficient access control (which is contrary to the API documentation), allows remote authenticated users to discover password hashes by reading the Basic HTTP Authentication or Digest HTTP Authentication section

CVE-2018-15598 [HIGH] CWE-287 CVE-2018-15598: Containous Traefik 1.6.x before 1.6.6, when --api is used, exposes the configuration and secret if a Containous Traefik 1.6.x before 1.6.6, when --api is used, exposes the configuration and secret if authentication is missing and the API's port is publicly reachable.