CVE-2019-12452: Containous Traefik Exposes Password Hashes
7.5
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.62016%
CWE
Published
5/24/2022
Updated
8/24/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/traefik/traefik | go | >= 1.7.0, <= 1.7.11 | 1.7.12 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from struct field serialization in the API response. The affected structs (Basic, Digest, ClientTLS) had their sensitive fields (Users/Key) configured with 'json' tags that allowed inclusion in API responses. The patch fixes this by setting 'json:"-"' to exclude these fields from serialization. While these are struct fields rather than traditional functions, they represent the vulnerable data exposure points in the configuration handling logic. The high confidence comes from the direct correlation between the CWE-522 pattern and the patch changes to sensitive field serialization behavior.