CVE-2020-15129 Scanner
Detects 'Open Redirect' vulnerability in Traefik affects v. before 1.7.26, 2.2.8, and 2.3.0-rc3.
Short Info
Level
Medium
Type
Single Scan
Can be used by
Asset Owner
Estimated Time
30 sec
Scan only one
Url
Parent Category
CVE-2020-15129 Scanner Detail
Traefik is an open-source reverse proxy and load balancer that is popularly used in cloud-native applications and microservices. It is designed to provide developers with an easy and configurable way to manage and route traffic across their applications. With its features such as dynamic service discovery, SSL/TLS encryption, and Kubernetes integration, Traefik simplifies the task of operating distributed applications in a containerized environment.
However, like any other software, vulnerabilities may sometimes be detected in Traefik. One such vulnerability is known as CVE-2020-15129. This vulnerability affects versions before 1.7.26, 2.2.8, and 2.3.0-rc3. It is an open redirect vulnerability in Traefik's handling of the "X-Forwarded-Prefix" header. The issue arises when the Traefik API dashboard component fails to validate that the value of the header "X-Forwarded-Prefix" is a site relative path and will therefore redirect to any header provided URI.
If exploited, the vulnerability can be used to entice victims to disclose sensitive information. For instance, an attacker can craft a malicious link with the opening redirect embedded within it and send this link to a victim. Once the victim clicks on the link, they will be redirected to a phishing site or a fake login page where they may unknowingly enter their login credentials which will then be stolen by the attacker.
At SecurityForEveryone.com, we take the security of our clients' digital assets seriously. Thanks to the pro features of our platform, we make it easy to quickly and easily learn about vulnerabilities in your digital assets. Our platform provides continuous monitoring and scanning of your applications and networks, and we notify you immediately if any vulnerabilities are detected. Sign up today to ensure the safety and security of your digital assets.
REFERENCES
- https://github.com/containous/traefik/security/advisories/GHSA-6qq8-5wq3-86rp
- https://github.com/containous/traefik/releases/tag/v1.7.26
- https://github.com/containous/traefik/releases/tag/v2.2.8
- https://github.com/containous/traefik/releases/tag/v2.3.0-rc3
- https://github.com/containous/traefik/pull/7109
- https://github.com/containous/traefik/commit/e63db782c11c7b8bfce30be4c902e7ef8f9f33d2
control security posture