CVE-2019-12452

HIGH

Traefik < 1.7.11 - Insufficiently Protected Credentials

Title source: rule

Description

types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API is publicly reachable and exposed without sufficient access control (which is contrary to the API documentation), allows remote authenticated users to discover password hashes by reading the Basic HTTP Authentication or Digest HTTP Authentication section, or discover a key by reading the ClientTLS section. These can be found in the JSON response to a /api request.

References (3)

[Exploit, Vendor Advisory] https://docs.traefik.io/configuration/api/#security

[Exploit, Third Party Advisory] https://github.com/containous/traefik/issues/4917

[Exploit, Patch, Third Party Advisory] https://github.com/containous/traefik/pull/4918

Scores

CVSS v3 7.5

EPSS 0.0034

EPSS Percentile 56.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-522

Status published

Affected Products (2)

traefik/traefik < 1.7.11

traefik/traefik < 1.7.12Go

Timeline

Published May 29, 2019

Tracked Since Feb 18, 2026