Authorization header displayed in the debug logs

Impact

There is a potential vulnerability in Traefik displaying the Authorization header in its debug logs.

Traefik uses oxy to provide the following features:

Round Robin: https://doc.traefik.io/traefik/routing/services/#weighted-round-robin-service
Buffering: https://doc.traefik.io/traefik/middlewares/http/buffering/
Circuit Breaker: https://doc.traefik.io/traefik/middlewares/http/circuitbreaker/
In-Flight Requests: https://doc.traefik.io/traefik/middlewares/http/inflightreq/

In such cases, if the log level is set to DEBUG, the credentials provided using the Authorization header are displayed in the debug logs:

level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\\"Method\\":\\"POST\\",\\"URL\\":{\\"Scheme\\":\\"\\",\\"Opaque\\":\\"\\",\\"User\\":null,\\"Host\\":\\"\\",\\"Path\\":\\"/<redacted>/<redacted>\\",\\"RawPath\\":\\"\\",\\"ForceQuery\\":false,\\"RawQuery\\":\\"\\",\\"Fragment\\":\\"\\",\\"RawFragment\\":\\"\\"},\\"Proto\\":\\"HTTP/2.0\\",\\"ProtoMajor\\":2,\\"ProtoMinor\\":0,\\"Header\\":{\\"Authorization\\":[\\"Bearer <token value was here>\\"],\\"Content-Type\\":[\\"application/grpc\\"],\\"Grpc-Accept-Encoding\\":[\\"gzip\\"],\\"Grpc-Timeout\\":[\\"29999886u\\"],\\"Te\\":[\\"trailers\\"],\\"User-Agent\\":[\\"<redacted>\\"],<remainder of log message removed>

Patches

#9574
https://github.com/traefik/traefik/releases/tag/v2.9.6

Workarounds

Set the log level to INFO, WARN, or ERROR.

For more information

If you have any questions or comments about this advisory, please open an issue.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Authorization header displayed in the debug logs

Package

Affected versions

Patched versions

Description

Impact

Patches

Workarounds

For more information

Severity

CVE ID

Weaknesses