Vulnerability Details : CVE-2022-23469
Potential exploit
Traefik is an open source HTTP reverse proxy and load balancer. Versions prior to 2.9.6 are subject to a potential vulnerability in Traefik displaying the Authorization header in its debug logs. In certain cases, if the log level is set to DEBUG, credentials provided using the Authorization header are displayed in the debug logs. Attackers must have access to a users logging system in order for credentials to be stolen. This issue has been addressed in version 2.9.6. Users are advised to upgrade. Users unable to upgrade may set the log level to `INFO`, `WARN`, or `ERROR`.
Vulnerability category: Information leak
Products affected by CVE-2022-23469
- cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-23469
0.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 46 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-23469
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
NIST | |
3.5
|
LOW | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N |
1.8
|
1.4
|
GitHub, Inc. |
CWE ids for CVE-2022-23469
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: security-advisories@github.com (Secondary)
-
The product writes sensitive information to a log file.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-23469
-
https://github.com/traefik/traefik/pull/9574
Remove logs of the request by ldez · Pull Request #9574 · traefik/traefik · GitHubPatch;Third Party Advisory
-
https://github.com/traefik/traefik/security/advisories/GHSA-h2ph-vhm7-g4hp
Authorization header displayed in the debug logs · Advisory · traefik/traefik · GitHubExploit;Patch;Third Party Advisory
-
https://github.com/traefik/traefik/releases/tag/v2.9.6
Release v2.9.6 · traefik/traefik · GitHubRelease Notes;Third Party Advisory
Jump to