CVE-2023-47106 - Traefik Reverse Proxy URL Fragment Redirection Bypassing Proxy URI-based Access Control

Traefik is a powerful, open-source HTTP reverse proxy and load balancer used by developers and system administrators to manage and route incoming traffic to their applications. A recent vulnerability, identified under CVE-2023-47106, has been discovered in the way Traefik handles URL fragments. This vulnerability allows malicious actors to bypass access control restrictions on the frontend proxy by exploiting this URL encoding behavior.

References

1. Traefik: https://traefik.io/
2. CVE-2023-47106: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47106
3. RFC 723: https://tools.ietf.org/html/rfc723

Consider this setup where Traefik routes requests to a backend server

https://frontend-proxy.example.com -> Traefik -> https://backend-server.example.com

When a request comes in with a URL fragment, such as

https://frontend-proxy.example.com/sensitive-page#fragment

Traefik performs URL encoding on the fragment, and sends the following request to the backend server

https://backend-server.example.com/sensitive-page%23fragment

As per RFC 723, URL fragments should not be included in the origin-form sent to the backend server. The URL should only contain the absolute path and the query, not the fragment itself.

This vulnerability can be exploited when Traefik is used in conjunction with another frontend proxy, like Nginx. If Nginx is blocking access to a specific path, a malicious actor could craft a URL with a fragment in such a way that the URL-encoded path bypasses the access control restrictions in place.

For example, consider the following Nginx access control configuration

location /sensitive-page {
  deny all;
}

A malicious user could construct this URL

https://frontend-proxy.example.com/innocent-page#%2Fsensitive-page

When processed by Traefik, the request sent to the backend server would be

https://backend-server.example.com/innocent-page%23%2Fsensitive-page

This request would bypass the Nginx access control rule, potentially granting unauthorized access to sensitive information.

Solution

This vulnerability has been addressed in Traefik versions 2.10.6 and 3..-beta5. Users are advised to upgrade their Traefik installations to one of these versions to mitigate this risk.

No known workarounds exist for this vulnerability; upgrading is the recommended course of action.

Conclusion

CVE-2023-47106 represents a significant vulnerability in Traefik's handling of URL fragments. By upgrading to a version with the patch, developers and system administrators can protect their applications and infrastructure from potentially severe consequences due to unauthorized access. It's important to stay informed of such developments in the security landscape, and always take precautions by keeping software up-to-date and regularly reviewing security practices.

Timeline

Published on: 12/04/2023 21:15:33 UTC
Last modified on: 12/07/2023 21:01:57 UTC