CVE-2022-23632

Traefik is an HTTP reverse proxy and load balancer. Prior to version 2.6.1, Traefik skips the router transport layer security (TLS) configuration when the host header is a fully qualified domain name (FQDN). For a request, the TLS configuration choice can be different than the router choice, which implies the use of a wrong TLS configuration. When sending a request using FQDN handled by a router configured with a dedicated TLS configuration, the TLS configuration falls back to the default configuration that might not correspond to the configured one. If the CNAME flattening is enabled, the selected TLS configuration is the SNI one and the routing uses the CNAME value, so this can skip the expected TLS configuration. Version 2.6.1 contains a patch for this issue. As a workaround, one may add the FDQN to the host rule. However, there is no workaround if the CNAME flattening is enabled.

CVSS v3 7.4 HIGH
CVSS v2.0 6.8 MEDIUM

7.4^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/traefik/traefik/pull/8764	Issue Tracking Patch Third Party Advisory
https://github.com/traefik/traefik/releases/tag/v2.6.1	Release Notes Third Party Advisory
https://github.com/traefik/traefik/security/advisories/GHSA-hrhx-6h34-j5hc	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html	Third Party Advisory
https://github.com/traefik/traefik/pull/8764	Issue Tracking Patch Third Party Advisory
https://github.com/traefik/traefik/releases/tag/v2.6.1	Release Notes Third Party Advisory
https://github.com/traefik/traefik/security/advisories/GHSA-hrhx-6h34-j5hc	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:oracle:communications_unified_inventory_management:7.5.0:*:*:*:*:*:*:*

History

21 Nov 2024, 06:48

Type	Values Removed	Values Added
References	~~() https://github.com/traefik/traefik/pull/8764 - Issue Tracking, Patch, Third Party Advisory~~	() https://github.com/traefik/traefik/pull/8764 - Issue Tracking, Patch, Third Party Advisory
References	~~() https://github.com/traefik/traefik/releases/tag/v2.6.1 - Release Notes, Third Party Advisory~~	() https://github.com/traefik/traefik/releases/tag/v2.6.1 - Release Notes, Third Party Advisory
References	~~() https://github.com/traefik/traefik/security/advisories/GHSA-hrhx-6h34-j5hc - Patch, Third Party Advisory~~	() https://github.com/traefik/traefik/security/advisories/GHSA-hrhx-6h34-j5hc - Patch, Third Party Advisory
References	~~() https://www.oracle.com/security-alerts/cpujul2022.html - Third Party Advisory~~	() https://www.oracle.com/security-alerts/cpujul2022.html - Third Party Advisory
CVSS	v2 : ~~6.8~~ v3 : ~~7.5~~	v2 : 6.8 v3 : 7.4

Information

Published : 2022-02-17 15:15

Updated : 2024-11-21 06:48

NVD link : CVE-2022-23632

Mitre link : CVE-2022-23632

CVE.ORG link : CVE-2022-23632

JSON object : View

Products Affected

oracle

communications_unified_inventory_management

traefik

traefik

CWE

CWE-295

Improper Certificate Validation

7.4 /10