GHSA-h2ph-vhm7-g4hp

Suggest an improvement
Source
https://github.com/advisories/GHSA-h2ph-vhm7-g4hp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-h2ph-vhm7-g4hp/GHSA-h2ph-vhm7-g4hp.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-h2ph-vhm7-g4hp
Aliases
Related
Published
2022-12-08T16:11:37Z
Modified
2024-08-21T16:28:29.678534Z
Severity
  • 3.5 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N CVSS Calculator
Summary
Traefik may display authorization header in the debug logs
Details

Impact

There is a potential vulnerability in Traefik displaying the Authorization header in its debug logs.

Traefik uses oxy to provide the following features:

  • Round Robin: https://doc.traefik.io/traefik/routing/services/#weighted-round-robin-service
  • Buffering: https://doc.traefik.io/traefik/middlewares/http/buffering/
  • Circuit Breaker: https://doc.traefik.io/traefik/middlewares/http/circuitbreaker/
  • In-Flight Requests: https://doc.traefik.io/traefik/middlewares/http/inflightreq/

In such cases, if the log level is set to DEBUG, the credentials provided using the Authorization header are displayed in the debug logs:

level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\\"Method\\":\\"POST\\",\\"URL\\":{\\"Scheme\\":\\"\\",\\"Opaque\\":\\"\\",\\"User\\":null,\\"Host\\":\\"\\",\\"Path\\":\\"/<redacted>/<redacted>\\",\\"RawPath\\":\\"\\",\\"ForceQuery\\":false,\\"RawQuery\\":\\"\\",\\"Fragment\\":\\"\\",\\"RawFragment\\":\\"\\"},\\"Proto\\":\\"HTTP/2.0\\",\\"ProtoMajor\\":2,\\"ProtoMinor\\":0,\\"Header\\":{\\"Authorization\\":[\\"Bearer &lt;token value was here>\\"],\\"Content-Type\\":[\\"application/grpc\\"],\\"Grpc-Accept-Encoding\\":[\\"gzip\\"],\\"Grpc-Timeout\\":[\\"29999886u\\"],\\"Te\\":[\\"trailers\\"],\\"User-Agent\\":[\\"<redacted>\\"],&lt;remainder of log message removed>

Patches

https://github.com/traefik/traefik/pull/9574 https://github.com/traefik/traefik/releases/tag/v2.9.6

Workarounds

Set the log level to INFO, WARN, or ERROR.

For more information

If you have any questions or comments about this advisory, please open an issue.

References

Affected packages

Go / github.com/traefik/traefik/v2

Package

Name
github.com/traefik/traefik/v2
View open source insights on deps.dev
Purl
pkg:golang/github.com/traefik/traefik/v2

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.9.6