ghsa-h2ph-vhm7-g4hp
Vulnerability from github
Published
2022-12-08 16:11
Modified
2022-12-09 15:20
Summary
Traefik may display authorization header in the debug logs
Details

Impact

There is a potential vulnerability in Traefik displaying the Authorization header in its debug logs.

Traefik uses oxy to provide the following features:

  • Round Robin: https://doc.traefik.io/traefik/routing/services/#weighted-round-robin-service
  • Buffering: https://doc.traefik.io/traefik/middlewares/http/buffering/
  • Circuit Breaker: https://doc.traefik.io/traefik/middlewares/http/circuitbreaker/
  • In-Flight Requests: https://doc.traefik.io/traefik/middlewares/http/inflightreq/

In such cases, if the log level is set to DEBUG, the credentials provided using the Authorization header are displayed in the debug logs:

level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\\"Method\\":\\"POST\\",\\"URL\\":{\\"Scheme\\":\\"\\",\\"Opaque\\":\\"\\",\\"User\\":null,\\"Host\\":\\"\\",\\"Path\\":\\"/<redacted>/<redacted>\\",\\"RawPath\\":\\"\\",\\"ForceQuery\\":false,\\"RawQuery\\":\\"\\",\\"Fragment\\":\\"\\",\\"RawFragment\\":\\"\\"},\\"Proto\\":\\"HTTP/2.0\\",\\"ProtoMajor\\":2,\\"ProtoMinor\\":0,\\"Header\\":{\\"Authorization\\":[\\"Bearer <token value was here>\\"],\\"Content-Type\\":[\\"application/grpc\\"],\\"Grpc-Accept-Encoding\\":[\\"gzip\\"],\\"Grpc-Timeout\\":[\\"29999886u\\"],\\"Te\\":[\\"trailers\\"],\\"User-Agent\\":[\\"<redacted>\\"],<remainder of log message removed>

Patches

https://github.com/traefik/traefik/pull/9574 https://github.com/traefik/traefik/releases/tag/v2.9.6

Workarounds

Set the log level to INFO, WARN, or ERROR.

For more information

If you have any questions or comments about this advisory, please open an issue.

Show details on source website


{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.9.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23469"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-08T16:11:37Z",
    "nvd_published_at": "2022-12-08T22:15:00Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nThere is a potential vulnerability in Traefik displaying the Authorization header in its debug logs.\n\nTraefik uses [oxy](https://github.com/vulcand/oxy) to provide the following features:\n\n- Round Robin: https://doc.traefik.io/traefik/routing/services/#weighted-round-robin-service\n- Buffering: https://doc.traefik.io/traefik/middlewares/http/buffering/\n- Circuit Breaker: https://doc.traefik.io/traefik/middlewares/http/circuitbreaker/\n- In-Flight Requests: https://doc.traefik.io/traefik/middlewares/http/inflightreq/\n\nIn such cases, if the log level is set to DEBUG, the credentials provided using the Authorization header are displayed in the debug logs:\n\n```\nlevel=debug msg=\"vulcand/oxy/roundrobin/rr: completed ServeHttp on request\" Request=\"{\\\\\"Method\\\\\":\\\\\"POST\\\\\",\\\\\"URL\\\\\":{\\\\\"Scheme\\\\\":\\\\\"\\\\\",\\\\\"Opaque\\\\\":\\\\\"\\\\\",\\\\\"User\\\\\":null,\\\\\"Host\\\\\":\\\\\"\\\\\",\\\\\"Path\\\\\":\\\\\"/\u003credacted\u003e/\u003credacted\u003e\\\\\",\\\\\"RawPath\\\\\":\\\\\"\\\\\",\\\\\"ForceQuery\\\\\":false,\\\\\"RawQuery\\\\\":\\\\\"\\\\\",\\\\\"Fragment\\\\\":\\\\\"\\\\\",\\\\\"RawFragment\\\\\":\\\\\"\\\\\"},\\\\\"Proto\\\\\":\\\\\"HTTP/2.0\\\\\",\\\\\"ProtoMajor\\\\\":2,\\\\\"ProtoMinor\\\\\":0,\\\\\"Header\\\\\":{\\\\\"Authorization\\\\\":[\\\\\"Bearer \u003ctoken value was here\u003e\\\\\"],\\\\\"Content-Type\\\\\":[\\\\\"application/grpc\\\\\"],\\\\\"Grpc-Accept-Encoding\\\\\":[\\\\\"gzip\\\\\"],\\\\\"Grpc-Timeout\\\\\":[\\\\\"29999886u\\\\\"],\\\\\"Te\\\\\":[\\\\\"trailers\\\\\"],\\\\\"User-Agent\\\\\":[\\\\\"\u003credacted\u003e\\\\\"],\u003cremainder of log message removed\u003e\n```\n\n### Patches\n\nhttps://github.com/traefik/traefik/pull/9574\nhttps://github.com/traefik/traefik/releases/tag/v2.9.6\n\n### Workarounds\n\nSet the log level to `INFO`, `WARN`, or `ERROR`.\n\n### For more information\n\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).",
  "id": "GHSA-h2ph-vhm7-g4hp",
  "modified": "2022-12-09T15:20:21Z",
  "published": "2022-12-08T16:11:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-h2ph-vhm7-g4hp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23469"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/pull/9574"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/traefik/traefik"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v2.9.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Traefik may display authorization header in the debug logs"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.