cnvd - cnvd-2022-13371

cnvd-2022-13371

Vulnerability from cnvd

Title: Containous Traefik信任管理问题漏洞（CNVD-2022-13371）

Description:

Containous Traefik是美国Containous公司的一款反向代理和负载平衡器。

Containous Traefik存在信任管理问题漏洞，该漏洞源于当使用由配置了专用TLS配置的路由器处理的FQDN发送请求时，TLS配置回退到可能与配置的配置不对应的默认配置。目前没有详细漏洞细节提供。

Severity: 高

Patch Name: Containous Traefik信任管理问题漏洞（CNVD-2022-13371）的补丁

Patch Description:

Containous Traefik是美国Containous公司的一款反向代理和负载平衡器。

Containous Traefik存在信任管理问题漏洞，该漏洞源于当使用由配置了专用TLS配置的路由器处理的FQDN发送请求时，TLS配置回退到可能与配置的配置不对应的默认配置。目前没有详细漏洞细节提供。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/traefik/traefik/pull/8764

Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-23632

Impacted products

Name
Containous Traefik <2.6.1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-23632"
    }
  },
  "description": "Containous Traefik\u662f\u7f8e\u56fdContainous\u516c\u53f8\u7684\u4e00\u6b3e\u53cd\u5411\u4ee3\u7406\u548c\u8d1f\u8f7d\u5e73\u8861\u5668\u3002\n\nContainous Traefik\u5b58\u5728\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5f53\u4f7f\u7528\u7531\u914d\u7f6e\u4e86\u4e13\u7528TLS\u914d\u7f6e\u7684\u8def\u7531\u5668\u5904\u7406\u7684FQDN\u53d1\u9001\u8bf7\u6c42\u65f6\uff0cTLS\u914d\u7f6e\u56de\u9000\u5230\u53ef\u80fd\u4e0e\u914d\u7f6e\u7684\u914d\u7f6e\u4e0d\u5bf9\u5e94\u7684\u9ed8\u8ba4\u914d\u7f6e\u3002 \u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/traefik/traefik/pull/8764",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-13371",
  "openTime": "2022-02-23",
  "patchDescription": "Containous Traefik\u662f\u7f8e\u56fdContainous\u516c\u53f8\u7684\u4e00\u6b3e\u53cd\u5411\u4ee3\u7406\u548c\u8d1f\u8f7d\u5e73\u8861\u5668\u3002\r\n\r\nContainous Traefik\u5b58\u5728\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5f53\u4f7f\u7528\u7531\u914d\u7f6e\u4e86\u4e13\u7528TLS\u914d\u7f6e\u7684\u8def\u7531\u5668\u5904\u7406\u7684FQDN\u53d1\u9001\u8bf7\u6c42\u65f6\uff0cTLS\u914d\u7f6e\u56de\u9000\u5230\u53ef\u80fd\u4e0e\u914d\u7f6e\u7684\u914d\u7f6e\u4e0d\u5bf9\u5e94\u7684\u9ed8\u8ba4\u914d\u7f6e\u3002 \u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Containous Traefik\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\uff08CNVD-2022-13371\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Containous Traefik \u003c2.6.1"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-23632",
  "serverity": "\u9ad8",
  "submitTime": "2022-02-18",
  "title": "Containous Traefik\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\uff08CNVD-2022-13371\uff09"
}

CVE-2022-23632 (GCVE-0-2022-23632)

Vulnerability from cvelistv5

Published

2022-02-17 14:55

Modified

2025-04-23 19:02

Severity ?

7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-295 - Improper Certificate Validation

Summary

Traefik is an HTTP reverse proxy and load balancer. Prior to version 2.6.1, Traefik skips the router transport layer security (TLS) configuration when the host header is a fully qualified domain name (FQDN). For a request, the TLS configuration choice can be different than the router choice, which implies the use of a wrong TLS configuration. When sending a request using FQDN handled by a router configured with a dedicated TLS configuration, the TLS configuration falls back to the default configuration that might not correspond to the configured one. If the CNAME flattening is enabled, the selected TLS configuration is the SNI one and the routing uses the CNAME value, so this can skip the expected TLS configuration. Version 2.6.1 contains a patch for this issue. As a workaround, one may add the FDQN to the host rule. However, there is no workaround if the CNAME flattening is enabled.

References

▼	URL	Tags
	https://github.com/traefik/traefik/security/advisories/GHSA-hrhx-6h34-j5hc	x_refsource_CONFIRM
	https://github.com/traefik/traefik/pull/8764	x_refsource_MISC
	https://github.com/traefik/traefik/releases/tag/v2.6.1	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpujul2022.html	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	traefik	traefik	Version: < 2.6.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:51:46.023Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/traefik/traefik/security/advisories/GHSA-hrhx-6h34-j5hc"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/traefik/traefik/pull/8764"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/traefik/traefik/releases/tag/v2.6.1"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-23632",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T15:56:00.722307Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T19:02:55.624Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "traefik",
          "vendor": "traefik",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.6.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to version 2.6.1, Traefik skips the router transport layer security (TLS) configuration when the host header is a fully qualified domain name (FQDN). For a request, the TLS configuration choice can be different than the router choice, which implies the use of a wrong TLS configuration. When sending a request using FQDN handled by a router configured with a dedicated TLS configuration, the TLS configuration falls back to the default configuration that might not correspond to the configured one. If the CNAME flattening is enabled, the selected TLS configuration is the SNI one and the routing uses the CNAME value, so this can skip the expected TLS configuration. Version 2.6.1 contains a patch for this issue. As a workaround, one may add the FDQN to the host rule. However, there is no workaround if the CNAME flattening is enabled."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-295",
              "description": "CWE-295: Improper Certificate Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-07-25T16:50:16.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/traefik/traefik/security/advisories/GHSA-hrhx-6h34-j5hc"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/traefik/traefik/pull/8764"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/traefik/traefik/releases/tag/v2.6.1"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        }
      ],
      "source": {
        "advisory": "GHSA-hrhx-6h34-j5hc",
        "discovery": "UNKNOWN"
      },
      "title": "Traefik skips the router TLS configuration when the host header is an FQDN",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-23632",
          "STATE": "PUBLIC",
          "TITLE": "Traefik skips the router TLS configuration when the host header is an FQDN"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "traefik",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 2.6.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "traefik"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Traefik is an HTTP reverse proxy and load balancer. Prior to version 2.6.1, Traefik skips the router transport layer security (TLS) configuration when the host header is a fully qualified domain name (FQDN). For a request, the TLS configuration choice can be different than the router choice, which implies the use of a wrong TLS configuration. When sending a request using FQDN handled by a router configured with a dedicated TLS configuration, the TLS configuration falls back to the default configuration that might not correspond to the configured one. If the CNAME flattening is enabled, the selected TLS configuration is the SNI one and the routing uses the CNAME value, so this can skip the expected TLS configuration. Version 2.6.1 contains a patch for this issue. As a workaround, one may add the FDQN to the host rule. However, there is no workaround if the CNAME flattening is enabled."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-295: Improper Certificate Validation"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/traefik/traefik/security/advisories/GHSA-hrhx-6h34-j5hc",
              "refsource": "CONFIRM",
              "url": "https://github.com/traefik/traefik/security/advisories/GHSA-hrhx-6h34-j5hc"
            },
            {
              "name": "https://github.com/traefik/traefik/pull/8764",
              "refsource": "MISC",
              "url": "https://github.com/traefik/traefik/pull/8764"
            },
            {
              "name": "https://github.com/traefik/traefik/releases/tag/v2.6.1",
              "refsource": "MISC",
              "url": "https://github.com/traefik/traefik/releases/tag/v2.6.1"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-hrhx-6h34-j5hc",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-23632",
    "datePublished": "2022-02-17T14:55:10.000Z",
    "dateReserved": "2022-01-19T00:00:00.000Z",
    "dateUpdated": "2025-04-23T19:02:55.624Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted