There is a potential vulnerability in Traefik displaying the Authorization header in its debug logs.
In such cases, if the log level is set to DEBUG, the credentials provided using the Authorization header are displayed in the debug logs:
level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\\"Method\\":\\"POST\\",\\"URL\\":{\\"Scheme\\":\\"\\",\\"Opaque\\":\\"\\",\\"User\\":null,\\"Host\\":\\"\\",\\"Path\\":\\"/<redacted>/<redacted>\\",\\"RawPath\\":\\"\\",\\"ForceQuery\\":false,\\"RawQuery\\":\\"\\",\\"Fragment\\":\\"\\",\\"RawFragment\\":\\"\\"},\\"Proto\\":\\"HTTP/2.0\\",\\"ProtoMajor\\":2,\\"ProtoMinor\\":0,\\"Header\\":{\\"Authorization\\":[\\"Bearer <token value was here>\\"],\\"Content-Type\\":[\\"application/grpc\\"],\\"Grpc-Accept-Encoding\\":[\\"gzip\\"],\\"Grpc-Timeout\\":[\\"29999886u\\"],\\"Te\\":[\\"trailers\\"],\\"User-Agent\\":[\\"<redacted>\\"],<remainder of log message removed>
Impact
There is a potential vulnerability in Traefik displaying the Authorization header in its debug logs.
Traefik uses oxy to provide the following features:
In such cases, if the log level is set to DEBUG, the credentials provided using the Authorization header are displayed in the debug logs:
Patches
#9574
https://github.com/traefik/traefik/releases/tag/v2.9.6
Workarounds
Set the log level to
INFO
,WARN
, orERROR
.For more information
If you have any questions or comments about this advisory, please open an issue.