Authorization header displayed in the debug logs
CVE-2022-23469

3.5LOW

Key Information:

Vendor

Traefik

Status
Traefik
Vendor
CVE Published:
8 December 2022

What is CVE-2022-23469?

Traefik is an open source HTTP reverse proxy and load balancer. Versions prior to 2.9.6 are subject to a potential vulnerability in Traefik displaying the Authorization header in its debug logs. In certain cases, if the log level is set to DEBUG, credentials provided using the Authorization header are displayed in the debug logs. Attackers must have access to a users logging system in order for credentials to be stolen. This issue has been addressed in version 2.9.6. Users are advised to upgrade. Users unable to upgrade may set the log level to INFO, WARN, or ERROR.

Affected Version(s)

traefik < 2.9.6

References

https://github.com/traefik/traefik/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/traefik/traefik/pull/9574
x_refsource_MISC
https://github.com/traefik/traefik/releases/tag/v2.9.6
x_refsource_MISC

CVSS V3.1

Score:
3.5
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2022-23469 : Authorization header displayed in the debug logs