PT-2022-27770 · Traefik+1 · Traefik+1

Published

2022-12-08

Updated

2024-08-21

CVE-2022-46153

CVSS v3.1

8.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Traefik versions prior to 2.9.6

Description There is a potential issue in Traefik's management of TLS connections. A router configured with a not well-formatted TLSOption is exposed with an empty TLSOption. For instance, a route secured using an mTLS connection set with a wrong CA file is exposed without verifying the client certificates.

Recommendations To resolve the issue, upgrade to version 2.9.6. If upgrading is not possible, check the logs to detect error messages such as:

Empty CA: {"level":"error","msg":"invalid clientAuthType: RequireAndVerifyClientCert, CAFiles is required","routerName":"Router0@file"}
Bad CA content (or bad path): {"level":"error","msg":"invalid certificate(s) content","routerName":"Router0@file"}
Unknown Client Auth Type: {"level":"error","msg":"unknown client auth type "FooClientAuthType"","routerName":"Router0@file"}
Invalid cipherSuites: {"level":"error","msg":"invalid CipherSuite: foobar","routerName":"Router0@file"}
Invalid curvePreferences: {"level":"error","msg":"invalid CurveID in curvePreferences: foobar","routerName":"Router0@file"} Fix the TLSOption to prevent exposure with an empty TLSOption.

Exploit

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-295

Related Identifiers

ALT-PU-2023-1270

ALT-PU-2023-1324

ALT-PU-2023-7095

CVE-2022-46153

ECHO-F918-5978-27A9

GHSA-468W-8X39-GJ5V

GO-2022-1152

OPENSUSE-SU-2024:12615-1

OPENSUSE-SU-2024:14076-1

Affected Products

Alt Linux

Traefik

PT-2022-27770 · Traefik+1 · Traefik+1

CVE-2022-46153

Weakness Enumeration

Related Identifiers

Affected Products

References · 29