Vulnerability Description
types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API is publicly reachable and exposed without sufficient access control (which is contrary to the API documentation), allows remote authenticated users to discover password hashes by reading the Basic HTTP Authentication or Digest HTTP Authentication section, or discover a key by reading the ClientTLS section. These can be found in the JSON response to a /api request.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Traefik | Traefik | >= 1.7.0, <= 1.7.11 |
Related Weaknesses (CWE)
References
- https://docs.traefik.io/configuration/api/#securityExploitVendor Advisory
- https://github.com/containous/traefik/issues/4917ExploitThird Party Advisory
- https://github.com/containous/traefik/pull/4918ExploitPatchThird Party Advisory
- https://docs.traefik.io/configuration/api/#securityExploitVendor Advisory
- https://github.com/containous/traefik/issues/4917ExploitThird Party Advisory
- https://github.com/containous/traefik/pull/4918ExploitPatchThird Party Advisory
FAQ
What is CVE-2019-12452?
CVE-2019-12452 is a vulnerability with a CVSS score of 7.5 (HIGH). types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API is publicly reachable and exposed without sufficient access control (which is contrary to the API doc...
How severe is CVE-2019-12452?
CVE-2019-12452 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-12452?
Check the references section above for vendor advisories and patch information. Affected products include: Traefik Traefik.