Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS00Njh3LTh4MzktZ2o1ds4AAwNU

Traefik routes exposed with an empty TLSOption

There is a potential vulnerability in Traefik managing the TLS connections.

A router configured with a not well-formatted TLSOption is exposed with an empty TLSOption.

For instance, a route secured using an mTLS connection set with a wrong CA file is exposed without verifying the client certificates.

Check the logs to detect the following error messages and fix your TLS options:

{"level":"error","msg":"invalid clientAuthType: RequireAndVerifyClientCert, CAFiles is required","routerName":"[email protected]"}

{"level":"error","msg":"invalid certificate(s) content","routerName":"[email protected]"}

{"level":"error","msg":"unknown client auth type \"FooClientAuthType\"","routerName":"[email protected]"}

{"level":"error","msg":"invalid CipherSuite: foobar","routerName":"[email protected]"}

{"level":"error","msg":"invalid CurveID in curvePreferences: foobar","routerName":"[email protected]"}

If you have any questions or comments about this advisory, please open an issue.

Permalink: https://github.com/advisories/GHSA-468w-8x39-gj5v
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00Njh3LTh4MzktZ2o1ds4AAwNU
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 6 months ago
Updated: 4 months ago

CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-468w-8x39-gj5v, CVE-2022-46153
References:

Versions: < 2.9.6
Fixed in: 2.9.6