CVE-2022-23469

Aliases:GHSA-h2ph-vhm7-g4hpGO-2022-1154
Advisory lineage Upstream: 0 Downstream: 2
Modified
Published: 08 Dec 2022, 21:33
Last modified:22 Apr 2025, 15:58

Vulnerability Summary

Overall Risk (default)
medium
36/100
CVSS Score
6.5 MEDIUM
v3.1 (nvd)
EPSS Score
0.36% LOW
0% probability -0.14%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected

Timeline

08 Dec 2022, 21:33
Published
Vulnerability first disclosed
22 Apr 2025, 15:58
Last Modified
Vulnerability information updated

Description

Traefik is an open source HTTP reverse proxy and load balancer. Versions prior to 2.9.6 are subject to a potential vulnerability in Traefik displaying the Authorization header in its debug logs. In certain cases, if the log level is set to DEBUG, credentials provided using the Authorization header are displayed in the debug logs. Attackers must have access to a users logging system in order for credentials to be stolen. This issue has been addressed in version 2.9.6. Users are advised to upgrade. Users unable to upgrade may set the log level to `INFO`, `WARN`, or `ERROR`.

CVSS Metrics

  • v3.1LOWScore: 3.5CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
  • v3.1MEDIUMScore: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Trends

Current EPSS score: 0.36% Percentile: 59%

Techniques & Countermeasures

  • CWE-200Exposure of Sensitive Information to an Unauthorized Actor

    The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

  • CWE-532Insertion of Sensitive Information into Log File

    The product writes sensitive information to a log file.

Affected Systems

  • github.com/traefiktraefik

    all

  • github.com/traefik/traefikv2

    < 2.9.6

  • traefiktraefik

    < 2.9.6

References (5)