CVE-2023-47106

Name of the Vulnerable Software and Affected Versions Traefik versions prior to 2.10.6 Traefik versions prior to 3.0.0-beta5

Description The issue arises when a request is sent to Traefik with a URL fragment. Traefik automatically URL encodes and forwards the fragment to the backend server, violating RFC 7230. This can be used to bypass frontend proxy URI-based access control restrictions when combined with another frontend proxy like Nginx. For example, an attacker can request /#/../admin to bypass Nginx configuration restrictions. If the backend server follows the RFC and ignores any characters after the fragment, it won't be vulnerable. However, if Nginx is chained with another reverse proxy like Traefik, which automatically URL encodes the character #, the URL will become /%23/../admin, allowing the attacker to completely bypass access restrictions.

Recommendations For Traefik versions prior to 2.10.6, upgrade to version 2.10.6 or later. For Traefik versions prior to 3.0.0-beta5, upgrade to version 3.0.0-beta5 or later. As a temporary workaround, consider restricting access to the vulnerable /#/ endpoint until a patch is available. Avoid using URL fragments in requests to Traefik until the issue is resolved.