CVE-2022-23469 (GCVE-0-2022-23469)
Vulnerability from cvelistv5
Published
2022-12-08 21:33
Modified
2025-04-22 15:58
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
Summary
Traefik is an open source HTTP reverse proxy and load balancer. Versions prior to 2.9.6 are subject to a potential vulnerability in Traefik displaying the Authorization header in its debug logs. In certain cases, if the log level is set to DEBUG, credentials provided using the Authorization header are displayed in the debug logs. Attackers must have access to a users logging system in order for credentials to be stolen. This issue has been addressed in version 2.9.6. Users are advised to upgrade. Users unable to upgrade may set the log level to `INFO`, `WARN`, or `ERROR`.
References
security-advisories@github.comhttps://github.com/traefik/traefik/pull/9574Patch, Third Party Advisory
security-advisories@github.comhttps://github.com/traefik/traefik/releases/tag/v2.9.6Release Notes, Third Party Advisory
security-advisories@github.comhttps://github.com/traefik/traefik/security/advisories/GHSA-h2ph-vhm7-g4hpExploit, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/traefik/traefik/pull/9574Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/traefik/traefik/releases/tag/v2.9.6Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/traefik/traefik/security/advisories/GHSA-h2ph-vhm7-g4hpExploit, Patch, Third Party Advisory
Impacted products
Vendor Product Version
traefik traefik Version: < 2.9.6
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T03:43:45.925Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "https://github.com/traefik/traefik/security/advisories/GHSA-h2ph-vhm7-g4hp",
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://github.com/traefik/traefik/security/advisories/GHSA-h2ph-vhm7-g4hp",
               },
               {
                  name: "https://github.com/traefik/traefik/pull/9574",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/traefik/traefik/pull/9574",
               },
               {
                  name: "https://github.com/traefik/traefik/releases/tag/v2.9.6",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/traefik/traefik/releases/tag/v2.9.6",
               },
            ],
            title: "CVE Program Container",
         },
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2022-23469",
                        options: [
                           {
                              Exploitation: "poc",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2025-04-22T15:40:39.072674Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2025-04-22T15:58:19.635Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               product: "traefik",
               vendor: "traefik",
               versions: [
                  {
                     status: "affected",
                     version: "< 2.9.6",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "Traefik is an open source HTTP reverse proxy and load balancer. Versions prior to 2.9.6 are subject to a potential vulnerability in Traefik displaying the Authorization header in its debug logs. In certain cases, if the log level is set to DEBUG, credentials provided using the Authorization header are displayed in the debug logs. Attackers must have access to a users logging system in order for credentials to be stolen. This issue has been addressed in version 2.9.6. Users are advised to upgrade. Users unable to upgrade may set the log level to `INFO`, `WARN`, or `ERROR`.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "HIGH",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 3.5,
                  baseSeverity: "LOW",
                  confidentialityImpact: "LOW",
                  integrityImpact: "NONE",
                  privilegesRequired: "LOW",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-200",
                     description: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2022-12-08T21:33:19.114Z",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               name: "https://github.com/traefik/traefik/security/advisories/GHSA-h2ph-vhm7-g4hp",
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/traefik/traefik/security/advisories/GHSA-h2ph-vhm7-g4hp",
            },
            {
               name: "https://github.com/traefik/traefik/pull/9574",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/traefik/traefik/pull/9574",
            },
            {
               name: "https://github.com/traefik/traefik/releases/tag/v2.9.6",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/traefik/traefik/releases/tag/v2.9.6",
            },
         ],
         source: {
            advisory: "GHSA-h2ph-vhm7-g4hp",
            discovery: "UNKNOWN",
         },
         title: "Authorization header displayed in the debug logs",
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2022-23469",
      datePublished: "2022-12-08T21:33:19.114Z",
      dateReserved: "2022-01-19T21:23:53.756Z",
      dateUpdated: "2025-04-22T15:58:19.635Z",
      requesterUserId: "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      fkie_nvd: {
         configurations: "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2.9.6\", \"matchCriteriaId\": \"F629DB16-8E4D-4447-B603-6A6463378267\"}]}]}]",
         descriptions: "[{\"lang\": \"en\", \"value\": \"Traefik is an open source HTTP reverse proxy and load balancer. Versions prior to 2.9.6 are subject to a potential vulnerability in Traefik displaying the Authorization header in its debug logs. In certain cases, if the log level is set to DEBUG, credentials provided using the Authorization header are displayed in the debug logs. Attackers must have access to a users logging system in order for credentials to be stolen. This issue has been addressed in version 2.9.6. Users are advised to upgrade. Users unable to upgrade may set the log level to `INFO`, `WARN`, or `ERROR`.\"}, {\"lang\": \"es\", \"value\": \"Traefik es un equilibrador de carga y proxy inverso HTTP de c\\u00f3digo abierto. Las versiones anteriores a la 2.9.6 est\\u00e1n sujetas a una vulnerabilidad potencial en Traefik al mostrar el encabezado Autorizaci\\u00f3n en sus registros de depuraci\\u00f3n. En ciertos casos, si el nivel de registro est\\u00e1 configurado en DEBUG, las credenciales proporcionadas mediante el encabezado Autorizaci\\u00f3n se muestran en los registros de depuraci\\u00f3n. Los atacantes deben tener acceso al sistema de registro de usuarios para poder robar las credenciales. Este problema se solucion\\u00f3 en la versi\\u00f3n 2.9.6. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar pueden configurar el nivel de registro en \\\"INFO\\\", \\\"ADVERTENCIA\\\" o \\\"ERROR\\\".\"}]",
         id: "CVE-2022-23469",
         lastModified: "2024-11-21T06:48:37.487",
         metrics: "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N\", \"baseScore\": 3.5, \"baseSeverity\": \"LOW\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 1.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}]}",
         published: "2022-12-08T22:15:10.043",
         references: "[{\"url\": \"https://github.com/traefik/traefik/pull/9574\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/traefik/traefik/releases/tag/v2.9.6\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/traefik/traefik/security/advisories/GHSA-h2ph-vhm7-g4hp\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/traefik/traefik/pull/9574\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/traefik/traefik/releases/tag/v2.9.6\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/traefik/traefik/security/advisories/GHSA-h2ph-vhm7-g4hp\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Patch\", \"Third Party Advisory\"]}]",
         sourceIdentifier: "security-advisories@github.com",
         vulnStatus: "Modified",
         weaknesses: "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-200\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-532\"}]}]",
      },
      nvd: "{\"cve\":{\"id\":\"CVE-2022-23469\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-12-08T22:15:10.043\",\"lastModified\":\"2024-11-21T06:48:37.487\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Traefik is an open source HTTP reverse proxy and load balancer. Versions prior to 2.9.6 are subject to a potential vulnerability in Traefik displaying the Authorization header in its debug logs. In certain cases, if the log level is set to DEBUG, credentials provided using the Authorization header are displayed in the debug logs. Attackers must have access to a users logging system in order for credentials to be stolen. This issue has been addressed in version 2.9.6. Users are advised to upgrade. Users unable to upgrade may set the log level to `INFO`, `WARN`, or `ERROR`.\"},{\"lang\":\"es\",\"value\":\"Traefik es un equilibrador de carga y proxy inverso HTTP de código abierto. Las versiones anteriores a la 2.9.6 están sujetas a una vulnerabilidad potencial en Traefik al mostrar el encabezado Autorización en sus registros de depuración. En ciertos casos, si el nivel de registro está configurado en DEBUG, las credenciales proporcionadas mediante el encabezado Autorización se muestran en los registros de depuración. Los atacantes deben tener acceso al sistema de registro de usuarios para poder robar las credenciales. Este problema se solucionó en la versión 2.9.6. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar pueden configurar el nivel de registro en \\\"INFO\\\", \\\"ADVERTENCIA\\\" o \\\"ERROR\\\".\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N\",\"baseScore\":3.5,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-532\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.9.6\",\"matchCriteriaId\":\"F629DB16-8E4D-4447-B603-6A6463378267\"}]}]}],\"references\":[{\"url\":\"https://github.com/traefik/traefik/pull/9574\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/traefik/traefik/releases/tag/v2.9.6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/traefik/traefik/security/advisories/GHSA-h2ph-vhm7-g4hp\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/traefik/traefik/pull/9574\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/traefik/traefik/releases/tag/v2.9.6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/traefik/traefik/security/advisories/GHSA-h2ph-vhm7-g4hp\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/traefik/traefik/security/advisories/GHSA-h2ph-vhm7-g4hp\", \"name\": \"https://github.com/traefik/traefik/security/advisories/GHSA-h2ph-vhm7-g4hp\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/traefik/traefik/pull/9574\", \"name\": \"https://github.com/traefik/traefik/pull/9574\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/traefik/traefik/releases/tag/v2.9.6\", \"name\": \"https://github.com/traefik/traefik/releases/tag/v2.9.6\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T03:43:45.925Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-23469\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-22T15:40:39.072674Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-22T15:40:42.733Z\"}}], \"cna\": {\"title\": \"Authorization header displayed in the debug logs\", \"source\": {\"advisory\": \"GHSA-h2ph-vhm7-g4hp\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 3.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"traefik\", \"product\": \"traefik\", \"versions\": [{\"status\": \"affected\", \"version\": \"< 2.9.6\"}]}], \"references\": [{\"url\": \"https://github.com/traefik/traefik/security/advisories/GHSA-h2ph-vhm7-g4hp\", \"name\": \"https://github.com/traefik/traefik/security/advisories/GHSA-h2ph-vhm7-g4hp\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/traefik/traefik/pull/9574\", \"name\": \"https://github.com/traefik/traefik/pull/9574\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/traefik/traefik/releases/tag/v2.9.6\", \"name\": \"https://github.com/traefik/traefik/releases/tag/v2.9.6\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Traefik is an open source HTTP reverse proxy and load balancer. Versions prior to 2.9.6 are subject to a potential vulnerability in Traefik displaying the Authorization header in its debug logs. In certain cases, if the log level is set to DEBUG, credentials provided using the Authorization header are displayed in the debug logs. Attackers must have access to a users logging system in order for credentials to be stolen. This issue has been addressed in version 2.9.6. Users are advised to upgrade. Users unable to upgrade may set the log level to `INFO`, `WARN`, or `ERROR`.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2022-12-08T21:33:19.114Z\"}}}",
         cveMetadata: "{\"cveId\": \"CVE-2022-23469\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-22T15:58:19.635Z\", \"dateReserved\": \"2022-01-19T21:23:53.756Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2022-12-08T21:33:19.114Z\", \"requesterUserId\": \"c184a3d9-dc98-4c48-a45b-d2d88cf0ac74\", \"assignerShortName\": \"GitHub_M\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.