6.1

CVE-2020-15129

Open redirect in Traefik

In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik's handling of the "X-Forwarded-Prefix" header. The Traefik API dashboard component doesn't validate that the value of the header "X-Forwarded-Prefix" is a site relative path and will redirect to any header provided URI. Successful exploitation of an open redirect can be used to entice victims to disclose sensitive information. Active Exploitation of this issue is unlikely as it would require active header injection, however the Traefik team addressed this issue nonetheless to prevent abuse in e.g. cache poisoning scenarios.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
TraefikTraefik Version < 1.7.26
TraefikTraefik Version >= 2.2.0 < 2.2.8
TraefikTraefik Version2.3.0 Update-
TraefikTraefik Version2.3.0 Updaterc1
TraefikTraefik Version2.3.0 Updaterc2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 8.01% 0.94
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.7 1.6 2.7
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov 4 4.9 4.9
AV:N/AC:H/Au:N/C:P/I:P/A:N
security-advisories@github.com 6.1 1.6 4
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

https://github.com/containous/traefik/commit/e63db782c11c7b8bfce30be4c902e7ef8f9f33d2
Patch
Third Party Advisory
https://github.com/containous/traefik/pull/7109
Patch
Third Party Advisory
https://github.com/containous/traefik/releases/tag/v1.7.26
Third Party Advisory
Release Notes
https://github.com/containous/traefik/releases/tag/v2.2.8
Third Party Advisory
Release Notes
https://github.com/containous/traefik/releases/tag/v2.3.0-rc3
Third Party Advisory
Release Notes
https://github.com/containous/traefik/security/advisories/GHSA-6qq8-5wq3-86rp
Third Party Advisory