Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2022-23469 #1156

Closed
GoVulnBot opened this issue Dec 8, 2022 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2022-23469 #1156

GoVulnBot opened this issue Dec 8, 2022 · 1 comment
Labels
duplicate

Comments

@GoVulnBot
Copy link

CVE-2022-23469 references github.com/traefik/traefik, which may be a Go module.

Description:
Traefik is an open source HTTP reverse proxy and load balancer. Versions prior to 2.9.6 are subject to a potential vulnerability in Traefik displaying the Authorization header in its debug logs. In certain cases, if the log level is set to DEBUG, credentials provided using the Authorization header are displayed in the debug logs. Attackers must have access to a users logging system in order for credentials to be stolen. This issue has been addressed in version 2.9.6. Users are advised to upgrade. Users unable to upgrade may set the log level to INFO, WARN, or ERROR.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/traefik/traefik
    packages:
      - package: traefik
description: |
    Traefik is an open source HTTP reverse proxy and load balancer. Versions prior to 2.9.6 are subject to a potential vulnerability in Traefik displaying the Authorization header in its debug logs. In certain cases, if the log level is set to DEBUG, credentials provided using the Authorization header are displayed in the debug logs. Attackers must have access to a users logging system in order for credentials to be stolen. This issue has been addressed in version 2.9.6. Users are advised to upgrade. Users unable to upgrade may set the log level to `INFO`, `WARN`, or `ERROR`.
cves:
  - CVE-2022-23469
references:
  - web: https://github.com/traefik/traefik/security/advisories/GHSA-h2ph-vhm7-g4hp
  - fix: https://github.com/traefik/traefik/pull/9574
  - web: https://github.com/traefik/traefik/releases/tag/v2.9.6
@maceonthompson
Copy link

Duplicate of #1154

@maceonthompson maceonthompson marked this as a duplicate of #1154 Dec 12, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@maceonthompson @GoVulnBot