CVE-2023-47106 - Traefik Reverse Proxy URL Fragment Redirection Bypassing Proxy URI-based Access Control
Traefik is a powerful, open-source HTTP reverse proxy and load balancer used by developers and system administrators to manage and route incoming traffic to their applications. A recent vulnerability, identified under CVE-2023-47106, has been discovered in the way Traefik handles URL fragments. This vulnerability allows malicious actors to bypass access control restrictions on the frontend proxy by exploiting this URL encoding behavior.
References
1. Traefik: https://traefik.io/
2. CVE-2023-47106: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47106
3. RFC 723: https://tools.ietf.org/html/rfc723
Consider this setup where Traefik routes requests to a backend server
https://frontend-proxy.example.com -> Traefik -> https://backend-server.example.com
When a request comes in with a URL fragment, such as
https://frontend-proxy.example.com/sensitive-page#fragment
Traefik performs URL encoding on the fragment, and sends the following request to the backend server
https://backend-server.example.com/sensitive-page%23fragment
As per RFC 723, URL fragments should not be included in the origin-form sent to the backend server. The URL should only contain the absolute path and the query, not the fragment itself.
This vulnerability can be exploited when Traefik is used in conjunction with another frontend proxy, like Nginx. If Nginx is blocking access to a specific path, a malicious actor could craft a URL with a fragment in such a way that the URL-encoded path bypasses the access control restrictions in place.
For example, consider the following Nginx access control configuration
location /sensitive-page {
deny all;
}
A malicious user could construct this URL
https://frontend-proxy.example.com/innocent-page#%2Fsensitive-page
When processed by Traefik, the request sent to the backend server would be
https://backend-server.example.com/innocent-page%23%2Fsensitive-page
This request would bypass the Nginx access control rule, potentially granting unauthorized access to sensitive information.
Solution
This vulnerability has been addressed in Traefik versions 2.10.6 and 3..-beta5. Users are advised to upgrade their Traefik installations to one of these versions to mitigate this risk.
No known workarounds exist for this vulnerability; upgrading is the recommended course of action.
Conclusion
CVE-2023-47106 represents a significant vulnerability in Traefik's handling of URL fragments. By upgrading to a version with the patch, developers and system administrators can protect their applications and infrastructure from potentially severe consequences due to unauthorized access. It's important to stay informed of such developments in the security landscape, and always take precautions by keeping software up-to-date and regularly reviewing security practices.
Timeline
Published on: 12/04/2023 21:15:33 UTC
Last modified on: 12/07/2023 21:01:57 UTC