Insufficient Access Control in Containous Traefik API
CVE-2019-12452

7.5HIGH

Key Information:

Vendor

Traefik

Status
Traefik
Vendor
CVE Published:
29 May 2019

What is CVE-2019-12452?

The Traefik API in versions 1.7.x up to 1.7.11 contains a significant security issue. When the --api flag is enabled and the API is publicly accessible, insufficient access controls allow remote authenticated users to retrieve sensitive information from the API's JSON responses. Specifically, users can uncover password hashes and keys from the Basic and Digest HTTP Authentication sections, as well as from the ClientTLS section. This exposure contradicts the API's documentation and poses serious risks to underlying systems.

References

https://github.com/containous/traefik/issues/4917
x_refsource_MISC
https://github.com/containous/traefik/pull/4918
x_refsource_MISC
https://docs.traefik.io/configuration/api/#security
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.