Containous Traefik
By the Year
In 2024 there have been 0 vulnerabilities in Containous Traefik . Traefik did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 0 | 0.00 |
| 2023 | 0 | 0.00 |
| 2022 | 0 | 0.00 |
| 2021 | 1 | 5.30 |
| 2020 | 3 | 6.57 |
| 2019 | 1 | 7.50 |
| 2018 | 1 | 7.50 |
It may take a day or so for new Traefik vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Containous Traefik Security Vulnerabilities
Traefik before 2.4.5
CVE-2021-27375
5.3 - Medium
- February 18, 2021
Traefik before 2.4.5 allows the loading of IFRAME elements from other domains.
Clickjacking
In Traefik before versions 1.7.26
CVE-2020-15129
4.7 - Medium
- July 30, 2020
In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik's handling of the "X-Forwarded-Prefix" header. The Traefik API dashboard component doesn't validate that the value of the header "X-Forwarded-Prefix" is a site relative path and will redirect to any header provided URI. Successful exploitation of an open redirect can be used to entice victims to disclose sensitive information. Active Exploitation of this issue is unlikely as it would require active header injection, however the Traefik team addressed this issue nonetheless to prevent abuse in e.g. cache poisoning scenarios.
Open Redirect
Traefik 2.x, in certain configurations
CVE-2019-20894
7.5 - High
- July 02, 2020
Traefik 2.x, in certain configurations, allows HTTPS sessions to proceed without mutual TLS verification in a situation where ERR_BAD_SSL_CLIENT_AUTH_CERT should have occurred.
Improper Certificate Validation
configurationwatcher.go in Traefik 2.x before 2.1.4 and TraefikEE 2.0.0 mishandles the purging of certificate contents
CVE-2020-9321
7.5 - High
- March 16, 2020
configurationwatcher.go in Traefik 2.x before 2.1.4 and TraefikEE 2.0.0 mishandles the purging of certificate contents from providers before logging.
Improper Certificate Validation
types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API is publicly reachable and exposed without sufficient access control (which is contrary to the API documentation)
CVE-2019-12452
7.5 - High
- May 29, 2019
types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API is publicly reachable and exposed without sufficient access control (which is contrary to the API documentation), allows remote authenticated users to discover password hashes by reading the Basic HTTP Authentication or Digest HTTP Authentication section, or discover a key by reading the ClientTLS section. These can be found in the JSON response to a /api request.
Insufficiently Protected Credentials
Containous Traefik 1.6.x before 1.6.6
CVE-2018-15598
7.5 - High
- August 21, 2018
Containous Traefik 1.6.x before 1.6.6, when --api is used, exposes the configuration and secret if authentication is missing and the API's port is publicly reachable.
authentification
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Traefik or by Containous? Click the Watch button to subscribe.
