Traefik Containous Traefik

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Containous Traefik.

By the Year

In 2024 there have been 0 vulnerabilities in Containous Traefik . Traefik did not have any published security vulnerabilities last year.

Year Vulnerabilities Average Score
2024 0 0.00
2023 0 0.00
2022 0 0.00
2021 1 5.30
2020 3 6.57
2019 1 7.50
2018 1 7.50

It may take a day or so for new Traefik vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Containous Traefik Security Vulnerabilities

Traefik before 2.4.5

CVE-2021-27375 5.3 - Medium - February 18, 2021

Traefik before 2.4.5 allows the loading of IFRAME elements from other domains.

Clickjacking

In Traefik before versions 1.7.26

CVE-2020-15129 4.7 - Medium - July 30, 2020

In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik's handling of the "X-Forwarded-Prefix" header. The Traefik API dashboard component doesn't validate that the value of the header "X-Forwarded-Prefix" is a site relative path and will redirect to any header provided URI. Successful exploitation of an open redirect can be used to entice victims to disclose sensitive information. Active Exploitation of this issue is unlikely as it would require active header injection, however the Traefik team addressed this issue nonetheless to prevent abuse in e.g. cache poisoning scenarios.

Open Redirect

Traefik 2.x, in certain configurations

CVE-2019-20894 7.5 - High - July 02, 2020

Traefik 2.x, in certain configurations, allows HTTPS sessions to proceed without mutual TLS verification in a situation where ERR_BAD_SSL_CLIENT_AUTH_CERT should have occurred.

Improper Certificate Validation

configurationwatcher.go in Traefik 2.x before 2.1.4 and TraefikEE 2.0.0 mishandles the purging of certificate contents

CVE-2020-9321 7.5 - High - March 16, 2020

configurationwatcher.go in Traefik 2.x before 2.1.4 and TraefikEE 2.0.0 mishandles the purging of certificate contents from providers before logging.

Improper Certificate Validation

types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API is publicly reachable and exposed without sufficient access control (which is contrary to the API documentation)

CVE-2019-12452 7.5 - High - May 29, 2019

types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API is publicly reachable and exposed without sufficient access control (which is contrary to the API documentation), allows remote authenticated users to discover password hashes by reading the Basic HTTP Authentication or Digest HTTP Authentication section, or discover a key by reading the ClientTLS section. These can be found in the JSON response to a /api request.

Insufficiently Protected Credentials

Containous Traefik 1.6.x before 1.6.6

CVE-2018-15598 7.5 - High - August 21, 2018

Containous Traefik 1.6.x before 1.6.6, when --api is used, exposes the configuration and secret if authentication is missing and the API's port is publicly reachable.

authentification

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Traefik or by Containous? Click the Watch button to subscribe.

Containous
Vendor

subscribe