1. Home
  2. CVE Database
  3. CVE-2020-15129
MEDIUM · 6.1

CVE-2020-15129

In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik's handling of the "X-Forwarded-Prefix" header. The Traefik API dashboard compon...

Vulnerability Description

In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik's handling of the "X-Forwarded-Prefix" header. The Traefik API dashboard component doesn't validate that the value of the header "X-Forwarded-Prefix" is a site relative path and will redirect to any header provided URI. Successful exploitation of an open redirect can be used to entice victims to disclose sensitive information. Active Exploitation of this issue is unlikely as it would require active header injection, however the Traefik team addressed this issue nonetheless to prevent abuse in e.g. cache poisoning scenarios.

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
NONE
Integrity
HIGH
Availability
NONE

Affected Products

VendorProductVersions
TraefikTraefik< 1.7.26

Related Weaknesses (CWE)

CWE-601

References

FAQ

What is CVE-2020-15129?

CVE-2020-15129 is a vulnerability with a CVSS score of 6.1 (MEDIUM). In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik's handling of the "X-Forwarded-Prefix" header. The Traefik API dashboard compon...

How severe is CVE-2020-15129?

CVE-2020-15129 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-15129?

Check the references section above for vendor advisories and patch information. Affected products include: Traefik Traefik.