CVE-2019-12452

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-12452

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12452.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-12452

Aliases

Published

2019-05-29T19:29:00Z

Modified

2025-02-19T02:42:20.761155Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API is publicly reachable and exposed without sufficient access control (which is contrary to the API documentation), allows remote authenticated users to discover password hashes by reading the Basic HTTP Authentication or Digest HTTP Authentication section, or discover a key by reading the ClientTLS section. These can be found in the JSON response to a /api request.

References

Affected packages

Git / github.com/traefik/traefik

Affected ranges

Type: GIT
Repo: https://github.com/traefik/traefik
Events: Introduced

d4311f9cf55f8b49974158fd01ac5ad6006b906b

Last affected

8a1c3510eaf521fda45f3a215017b2242b7a2e97

Affected versions

v1.*

v1.7.0

v1.7.1

v1.7.10

v1.7.11

v1.7.2

v1.7.3

v1.7.4

v1.7.5

v1.7.6

v1.7.7

v1.7.8

v1.7.9