Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZxcTgtNXdxMy04NnJw
Traefik vulnerable to Open Redirect via handling of X-Forwarded-Prefix header
Summary
There exists a potential open redirect vulnerability in Traefik's handling of the X-Forwarded-Prefix
header. Active Exploitation of this issue is unlikely as it would require active header injection, however the Traefik team addressed this issue nonetheless to prevent abuse in e.g. cache poisoning scenarios.
Details
The Traefik API dashboard component doesn't validate that the value of the header X-Forwarded-Prefix
is a site relative path and will redirect to any header provided URI.
e.g.
$ curl --header 'Host:traefik.localhost' --header 'X-Forwarded-Prefix:https://example.org' 'http://localhost:8081'
<a href="https://example.org/dashboard/">Found</a>.`
Impact
A successful exploitation of an open redirect can be used to entice victims to disclose sensitive information.
Workarounds
By using the headers
middleware, the request header X-Forwarded-Prefix
value can be overridden by the value .
(dot)
- https://docs.traefik.io/v2.2/middlewares/headers/#customrequestheaders
- https://docs.traefik.io/v1.7/basics/#custom-headers
For more information
If you have any questions or comments about this advisory, open an issue in Traefik.
Credit
This issue was found by the GitHub Application Security Team and reported on behalf of the GHAS by the GitHub Security Lab Team.
Permalink: https://github.com/advisories/GHSA-6qq8-5wq3-86rpJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZxcTgtNXdxMy04NnJw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: about 1 year ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
Identifiers: GHSA-6qq8-5wq3-86rp, CVE-2020-15129
References:
- https://github.com/containous/traefik/security/advisories/GHSA-6qq8-5wq3-86rp
- https://nvd.nist.gov/vuln/detail/CVE-2020-15129
- https://github.com/containous/traefik/pull/7109
- https://github.com/containous/traefik/commit/cfa04c300c5db95ae8a52c31a9d973b6dd9c2254
- https://github.com/containous/traefik/commit/e63db782c11c7b8bfce30be4c902e7ef8f9f33d2
- https://github.com/containous/traefik/releases/tag/v1.7.26
- https://github.com/containous/traefik/releases/tag/v2.2.8
- https://github.com/containous/traefik/releases/tag/v2.3.0-rc3
- https://github.com/traefik/traefik/commit/e2c5f3712f68993de8ed3cb30da9ec0aa11acb09
- https://github.com/advisories/GHSA-6qq8-5wq3-86rp
Affected Packages
go:github.com/containous/traefik/v2/pkg/api
Affected Version Ranges: >= 2.3.0-rc1, < 2.3.0-rc3, < 2.2.8Fixed in: 2.3.0-rc3, 2.2.8
go:github.com/containous/traefik/api
Affected Version Ranges: >= 1.5.0-rc5, < 1.7.26Fixed in: 1.7.26
go:github.com/traefik/traefik/v2/pkg/api
Affected Version Ranges: >= 2.3.0-rc1, < 2.3.0-rc3, < 2.2.8Fixed in: 2.3.0-rc6, 2.3.0-rc6
go:github.com/traefik/traefik/api
Affected Version Ranges: >= 1.5.0-rc5, < 1.7.26Fixed in: 1.7.26
go:github.com/containous/traefik/v2
Dependent packages: 19Dependent repositories: 12
Downloads:
Affected Version Ranges: >= 2.3.0-rc1, < 2.3.0-rc3, < 2.2.8
Fixed in: 2.3.0-rc3, 2.2.8
All affected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.3.0-rc1, 2.3.0-rc2
All unaffected versions: 2.2.8, 2.2.9, 2.2.10, 2.2.11, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9, 2.4.10, 2.4.11, 2.4.12, 2.4.13, 2.4.14, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.8.8, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.9.7, 2.9.8, 2.9.9, 2.9.10, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.10.5, 2.10.6, 2.10.7, 2.11.0
go:github.com/traefik/traefik/v2
Dependent packages: 44Dependent repositories: 52
Downloads:
Affected Version Ranges: >= 2.3.0-rc1, < 2.3.0-rc3, < 2.2.8
Fixed in: 2.3.0-rc6, 2.3.0-rc6
All affected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.3.0-rc1, 2.3.0-rc2
All unaffected versions: 2.2.8, 2.2.10, 2.2.11, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9, 2.4.10, 2.4.11, 2.4.12, 2.4.13, 2.4.14, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.8.8, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.9.7, 2.9.8, 2.9.9, 2.9.10, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.10.5, 2.10.6, 2.10.7, 2.11.0
go:github.com/containous/traefik
Dependent packages: 9Dependent repositories: 11
Downloads:
Affected Version Ranges: >= 1.5.0-rc5, < 1.7.26
Fixed in: 1.7.26
All affected versions: 1.5.0, 1.5.0-rc5, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.7.9, 1.7.10, 1.7.11, 1.7.12, 1.7.13, 1.7.14, 1.7.15, 1.7.16, 1.7.17, 1.7.18, 1.7.19, 1.7.20, 1.7.21, 1.7.22, 1.7.23, 1.7.24, 1.7.25
All unaffected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.7.26, 1.7.27, 1.7.28, 1.7.29, 1.7.30, 1.7.31, 1.7.32, 1.7.33, 1.7.34
go:github.com/traefik/traefik
Dependent packages: 4Dependent repositories: 2
Downloads:
Affected Version Ranges: >= 1.5.0-rc5, < 1.7.26
Fixed in: 1.7.26
All affected versions: 1.5.0, 1.5.0-rc5, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.7.9, 1.7.10, 1.7.11, 1.7.12, 1.7.13, 1.7.14, 1.7.15, 1.7.16, 1.7.17, 1.7.18, 1.7.19, 1.7.20, 1.7.21, 1.7.22, 1.7.23, 1.7.24, 1.7.25
All unaffected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.7.26, 1.7.27, 1.7.28, 1.7.29, 1.7.30, 1.7.31, 1.7.32, 1.7.33, 1.7.34