QwikSec

Security Database

CVE

CWE

Training

CVE-2020-15129

Published: Jul 30, 2020

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.1

6.1

MEDIUM

Description

In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik's handling of the "X-Forwarded-Prefix" header. The Traefik API dashboard component doesn't validate that the value of the header "X-Forwarded-Prefix" is a site relative path and will redirect to any header provided URI. Successful exploitation of an open redirect can be used to entice victims to disclose sensitive information. Active Exploitation of this issue is unlikely as it would require active header injection, however the Traefik team addressed this issue nonetheless to prevent abuse in e.g. cache poisoning scenarios.

Vendor	Product	Versions
containous	traefik	affected `< 1.7.26` affected `>= 2.0.0, < 2.2.8`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

None

Integrity

High

Availability

None

References

https://github.com/containous/traefik/security/advisories/GHSA-6qq8-5wq3-86rp

x_refsource_CONFIRM

https://github.com/containous/traefik/releases/tag/v1.7.26

x_refsource_MISC

https://github.com/containous/traefik/releases/tag/v2.2.8

x_refsource_MISC

https://github.com/containous/traefik/releases/tag/v2.3.0-rc3

x_refsource_MISC

https://github.com/containous/traefik/pull/7109

x_refsource_MISC

https://github.com/containous/traefik/commit/e63db782c11c7b8bfce30be4c902e7ef8f9f33d2

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.