CVE-2022-23632

Name of the Vulnerable Software and Affected Versions Traefik versions prior to 2.6.1

Description The issue arises when Traefik, an HTTP reverse proxy and load balancer, skips the router transport layer security (TLS) configuration when the host header is a fully qualified domain name (FQDN). This can lead to the use of a wrong TLS configuration, as the TLS configuration choice may differ from the router choice. When a request is sent using an FQDN handled by a router with a dedicated TLS configuration, the TLS configuration falls back to the default configuration, which may not match the configured one. If CNAME flattening is enabled, the selected TLS configuration is the SNI one, and the routing uses the CNAME value, potentially skipping the expected TLS configuration.

Recommendations For versions prior to 2.6.1, update to version 2.6.1 to resolve the issue. As a temporary workaround for versions prior to 2.6.1, add the FQDN to the host rule. Note that there is no workaround if CNAME flattening is enabled.