CVE-2020-15129

Name of the Vulnerable Software and Affected Versions Traefik versions prior to 1.7.26 Traefik versions prior to 2.2.8 Traefik versions prior to 2.3.0-rc3

Description The issue concerns Traefik's handling of the X-Forwarded-Prefix header, where the Traefik API dashboard component does not validate if the header value is a site relative path, allowing redirects to any provided URI. This could be exploited to entice victims into disclosing sensitive information. Active exploitation is considered unlikely due to the requirement for active header injection, but the issue was addressed to prevent potential abuse, such as cache poisoning scenarios.

Recommendations For versions prior to 1.7.26, update to version 1.7.26 or later. For versions prior to 2.2.8, update to version 2.2.8 or later. For versions prior to 2.3.0-rc3, update to version 2.3.0-rc3 or later. As a temporary workaround, consider using the headers middleware to override the X-Forwarded-Prefix header value with a dot (.) to prevent malicious redirects.