Traefik up to 2.6.0 TLS Configuration Host certificate validation

A vulnerability was found in Traefik up to 2.6.0. It has been rated as critical. This issue affects an unknown part of the component TLS Configuration Handler. Upgrading to version 2.6.1 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying a patch is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Timeline

The analysis of the timeline helps to identify the required approach and handling of single vulnerabilities and vulnerability collections. This overview makes it possible to see less important slices and more severe hotspots at a glance. Initiating immediate vulnerability response and prioritizing of issues is possible.

User

135

Field

source_cve_nvd_summary1
advisory_confirm_url1
exploit_price_0day1
vulnerability_cvss3_meta_tempscore1
vulnerability_cvss3_meta_basescore1

Commit Conf

90%42
50%10
70%2

Approve Conf

90%42
80%10
70%2
IDCommitedUserFieldChangeRemarksAcceptedReasonC
1219271902/19/2022VulD...cve_nvd_summaryTraefik is an HTTP reverse proxy and load balancer. Prior to version 2.6.1, Traefik skips the router transport layer security (TLS) configuration when the host header is a fully qualified domain name (FQDN). For a request, the TLS configuration choice can be different than the router choice, which implies the use of a wrong TLS configuration. When sending a request using FQDN handled by a router configured with a dedicated TLS configuration, the TLS configuration falls back to the default configuration that might not correspond to the configured one. If the CNAME flattening is enabled, the selected TLS configuration is the SNI one and the routing uses the CNAME value, so this can skip the expected TLS configuration. Version 2.6.1 contains a patch for this issue. As a workaround, one may add the FDQN to the host rule. However, there is no workaround if the CNAME flattening is enabled.cve.mitre.org02/19/2022accepted
70
1219271802/19/2022VulD...confirm_urlhttps://github.com/traefik/traefik/security/advisories/GHSA-hrhx-6h34-j5hccve.mitre.org02/19/2022accepted
70
1219151202/17/2022VulD...price_0day$0-$5ksee exploit price documentation02/17/2022accepted
90
1219151102/17/2022VulD...cvss3_meta_tempscore6.4see CVSS documentation02/17/2022accepted
90
1219151002/17/2022VulD...cvss3_meta_basescore6.5see CVSS documentation02/17/2022accepted
90
1219150902/17/2022VulD...cvss3_vuldb_tempscore5.4see CVSS documentation02/17/2022accepted
90
1219150802/17/2022VulD...cvss3_vuldb_basescore5.6see CVSS documentation02/17/2022accepted
90
1219150702/17/2022VulD...cvss2_vuldb_tempscore4.4see CVSS documentation02/17/2022accepted
90
1219150602/17/2022VulD...cvss2_vuldb_basescore5.1see CVSS documentation02/17/2022accepted
90
1219150502/17/2022VulD...cvss3_cna_basescore7.4see CVSS documentation02/17/2022accepted
90
1219150402/17/2022VulD...cvss3_vuldb_eXderived from historical data02/17/2022accepted
80
1219150302/17/2022VulD...cvss2_vuldb_eNDderived from historical data02/17/2022accepted
80
1219150202/17/2022VulD...cvss2_vuldb_rlOFderived from vuldb v3 vector02/17/2022accepted
80
1219150102/17/2022VulD...cvss2_vuldb_rcCderived from vuldb v3 vector02/17/2022accepted
80
1219150002/17/2022VulD...cvss2_vuldb_aiPderived from vuldb v3 vector02/17/2022accepted
80
1219149902/17/2022VulD...cvss2_vuldb_iiPderived from vuldb v3 vector02/17/2022accepted
80
1219149802/17/2022VulD...cvss2_vuldb_ciPderived from vuldb v3 vector02/17/2022accepted
80
1219149702/17/2022VulD...cvss2_vuldb_auNderived from vuldb v3 vector02/17/2022accepted
80
1219149602/17/2022VulD...cvss2_vuldb_acHderived from vuldb v3 vector02/17/2022accepted
80
1219149502/17/2022VulD...cvss2_vuldb_avNderived from vuldb v3 vector02/17/2022accepted
80

34 more entries are not shown

Might our Artificial Intelligence support you?

Check our Alexa App!