medium
6.5
CWE
20 177
Advisory Published
Advisory Published
Updated

CVE-2023-47106: Incorrect processing of fragment in the URL leads to Authorization Bypass in Traefik

First published: Mon Dec 04 2023(Updated: )

### Summary When a request is sent to Traefik with a URL fragment, Traefik automatically URL encodes and forwards the fragment to the backend server. This violates the RFC because in the origin-form the URL should only contain the absolute path and the query. When this is combined with another frontend proxy like Nginx, it can be used to bypass frontend proxy URI-based access control restrictions. ### Details For example, we have this Nginx configuration: ``` location /admin { deny all; return 403; } ``` This can be bypassed when the attacker is requesting to /#/../admin This won’t be vulnerable if the backend server follows the RFC and ignores any characters after the fragment. However, if Nginx is chained with another reverse proxy which automatically URL encode the character # (Traefik) the URL will become /%23/../admin And allow the attacker to completely bypass the Access Restriction from the Nginx Front-End proxy. Here is a diagram to summarize the attack: ![image](https://user-images.githubusercontent.com/47447167/278849578-34ca0546-99b4-44c8-8fc8-8e799c1f5069.png) ### PoC ![image (1)](https://user-images.githubusercontent.com/47447167/278849597-280f2e80-f2d7-4dd9-9662-b8f488fd5ff2.png) This is the POC docker I've set up. It contains Nginx, Traefik proxies and a backend server running PHP. https://drive.google.com/file/d/1vLnA0g7N7ZKhLNmHmuJ4JJjV_J2akNMt/view?usp=sharing ### Impact This allows the attacker to completely bypass the Access Restriction from Front-End proxy.

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
go/github.com/traefik/traefik/v3<3.0.0-beta5
3.0.0-beta5
go/github.com/traefik/traefik/v2<2.10.6
2.10.6
Traefik Traefik<=2.10.5
Traefik Traefik=3.0.0-beta1
Traefik Traefik=3.0.0-beta2
Traefik Traefik=3.0.0-beta3
Traefik Traefik=3.0.0-beta4

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the vulnerability ID for this issue?

    The vulnerability ID for this issue is CVE-2023-47106.

  • What is the title of this vulnerability?

    The title of this vulnerability is 'Incorrect processing of fragment in the URL leads to Authorization Bypass in Traefik'.

  • What is the severity level of CVE-2023-47106?

    The severity level of CVE-2023-47106 is medium.

  • How does CVE-2023-47106 impact Traefik?

    CVE-2023-47106 impacts Traefik by allowing for authorization bypass due to incorrect processing of URL fragments.

  • How can I fix CVE-2023-47106?

    To fix CVE-2023-47106, update Traefik to version 2.10.6 or 3.0.0-beta5, depending on your currently used version.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203