CVE-2022-46153

Traefik is an open source HTTP reverse proxy and load balancer. In affected versions there is a potential vulnerability in Traefik managing TLS connections. A router configured with a not well-formatted TLSOption is exposed with an empty TLSOption. For instance, a route secured using an mTLS connection set with a wrong CA file is exposed without verifying the client certificates. Users are advised to upgrade to version 2.9.6. Users unable to upgrade should check their logs to detect the error messages and fix your TLS options.

CVSS v3.0 6.5 MEDIUM

6.5^/10

CVSS v3.0 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/traefik/traefik/releases/tag/v2.9.6	Release Notes Third Party Advisory
https://github.com/traefik/traefik/security/advisories/GHSA-468w-8x39-gj5v	Mitigation Patch Third Party Advisory
https://doc.traefik.io/traefik/v2.9/https/tls/#tls-options	Product Vendor Advisory
https://github.com/traefik/traefik/commit/7e3fe48b80083b41e9ff82a474a36484cabc701a	Patch Third Party Advisory

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*

Information

Published : 2022-12-08 14:15

Updated : 2022-12-12 10:44

NVD link : CVE-2022-46153

Mitre link : CVE-2022-46153

JSON object : View

CWE

CWE-295

Improper Certificate Validation

Advertisement

Products Affected

traefik

traefik

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/traefik/traefik/releases/tag/v2.9.6", "name": "https://github.com/traefik/traefik/releases/tag/v2.9.6", "tags": ["Release Notes", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/traefik/traefik/security/advisories/GHSA-468w-8x39-gj5v", "name": "https://github.com/traefik/traefik/security/advisories/GHSA-468w-8x39-gj5v", "tags": ["Mitigation", "Patch", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://doc.traefik.io/traefik/v2.9/https/tls/#tls-options", "name": "https://doc.traefik.io/traefik/v2.9/https/tls/#tls-options", "tags": ["Product", "Vendor Advisory"], "refsource": "MISC"}, {"url": "https://github.com/traefik/traefik/commit/7e3fe48b80083b41e9ff82a474a36484cabc701a", "name": "https://github.com/traefik/traefik/commit/7e3fe48b80083b41e9ff82a474a36484cabc701a", "tags": ["Patch", "Third Party Advisory"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Traefik is an open source HTTP reverse proxy and load balancer. In affected versions there is a potential vulnerability in Traefik managing TLS connections. A router configured with a not well-formatted TLSOption is exposed with an empty TLSOption. For instance, a route secured using an mTLS connection set with a wrong CA file is exposed without verifying the client certificates. Users are advised to upgrade to version 2.9.6. Users unable to upgrade should check their logs to detect the error messages and fix your TLS options."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-295"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-46153", "ASSIGNER": "security-advisories@github.com"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}}, "publishedDate": "2022-12-08T22:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "2.9.6"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2022-12-12T18:44Z"}