Miggo Logo

CVE-2019-12452: Containous Traefik Exposes Password Hashes

7.5

CVSS Score
3.0

Basic Information

EPSS Score
0.62016%
Published
5/24/2022
Updated
8/24/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/traefik/traefikgo>= 1.7.0, <= 1.7.111.7.12

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from struct field serialization in the API response. The affected structs (Basic, Digest, ClientTLS) had their sensitive fields (Users/Key) configured with 'json' tags that allowed inclusion in API responses. The patch fixes this by setting 'json:"-"' to exclude these fields from serialization. While these are struct fields rather than traditional functions, they represent the vulnerable data exposure points in the configuration handling logic. The high confidence comes from the direct correlation between the CWE-522 pattern and the patch changes to sensitive field serialization behavior.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

typ*s/typ*s.*o in *ont*inous Tr***ik *.*.x t*rou** *.*.**, w**n t** `--*pi` *l** is us** *n* t** *PI is pu*li*ly r******l* *n* *xpos** wit*out su**i*i*nt ****ss *ontrol (w*i** is *ontr*ry to t** *PI *o*um*nt*tion), *llows r*mot* *ut**nti**t** us*rs t

Reasoning

T** vuln*r**ility st*ms *rom stru*t *i*l* s*ri*liz*tion in t** *PI r*spons*. T** *****t** stru*ts (**si*, *i**st, *li*ntTLS) *** t**ir s*nsitiv* *i*l*s (Us*rs/K*y) *on*i*ur** wit* 'json' t**s t**t *llow** in*lusion in *PI r*spons*s. T** p*t** *ix*s t