CVE-2022-23632

HIGH

Traefik < 2.6.1 - Improper Certificate Validation via FQDN Host Header

Title source: llm
STIX 2.1

Description

Traefik is an HTTP reverse proxy and load balancer. Prior to version 2.6.1, Traefik skips the router transport layer security (TLS) configuration when the host header is a fully qualified domain name (FQDN). For a request, the TLS configuration choice can be different than the router choice, which implies the use of a wrong TLS configuration. When sending a request using FQDN handled by a router configured with a dedicated TLS configuration, the TLS configuration falls back to the default configuration that might not correspond to the configured one. If the CNAME flattening is enabled, the selected TLS configuration is the SNI one and the routing uses the CNAME value, so this can skip the expected TLS configuration. Version 2.6.1 contains a patch for this issue. As a workaround, one may add the FDQN to the host rule. However, there is no workaround if the CNAME flattening is enabled.

References (4)

Core 4
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/traefik/traefik/security/advisories/GHSA-hrhx-6h34-j5hc
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://github.com/traefik/traefik/pull/8764
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/traefik/traefik/releases/tag/v2.6.1
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2022.html

Scores

CVSS v3 7.4
EPSS 0.0056
EPSS Percentile 68.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-295
Status published
Products (3)
oracle/communications_unified_inventory_management 7.5.0
traefik/traefik < 2.6.1
traefik/traefik 0 - 2.6.1Go
Published Feb 17, 2022
Tracked Since Feb 18, 2026