7.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-23632

GHSA ID

GHSA-hrhx-6h34-j5hc

EPSS Score

0.62042%

CWE

CWE-295

Published

2/16/2022

Updated

1/27/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-23632

CVE-2022-23632: Skip the router TLS configuration when the host header is an FQDN

Impact

People that configure mTLS between Traefik and clients.

For a request, the TLS configuration choice can be different than the router choice, which implies the use of a wrong TLS configuration.

When sending a request using FQDN handled by a router configured with a dedicated TLS configuration, the TLS configuration falls back to the default configuration that might not correspond to the configured one.
If the CNAME flattening is enabled, the selected TLS configuration is the SNI one and the routing uses the CNAME value, so this can skip the expected TLS configuration.

Patches

Traefik v2.6.x: https://github.com/traefik/traefik/releases/tag/v2.6.1

Workarounds

Add the FDQN to the host rule:

Example:

  whoami:
    image: traefik/whoami:v1.7.1
    labels:
      traefik.http.routers.whoami.rule: Host(`whoami.example.com`, `whoami.example.com.`)
      traefik.http.routers.whoami.tls: true
      traefik.http.routers.whoami.tls.options: mtls@file

There is no workaround if the CNAME flattening is enabled.

For more information

If you have any questions or comments about this advisory, please open an issue.

(GitHub Advisory)

7.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-23632

GHSA ID

GHSA-hrhx-6h34-j5hc

EPSS Score

0.62042%

CWE

CWE-295

Published

2/16/2022

Updated

1/27/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/traefik/traefik/v2	go	< 2.6.1	2.6.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper TLS configuration selection when the host header is an FQDN (with/without a trailing dot) or when CNAME flattening is enabled. The pull request #8764 indicates fixes in TLS configuration logic to align with routing rules. Functions like getTLSConfig (TLS selection) and matchSNI (SNI handling) are critical points where FQDN normalization and CNAME resolution would occur. The workaround requiring explicit FQDN declarations in host rules further suggests the host-matching logic in TLS configuration was not handling these cases correctly.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t P*opl* t**t *on*i*ur* mTLS **tw**n Tr***ik *n* *li*nts. *or * r*qu*st, t** TLS *on*i*ur*tion **oi** **n ** *i***r*nt t**n t** rout*r **oi**, w*i** impli*s t** us* o* * wron* TLS *on*i*ur*tion. - W**n s*n*in* * r*qu*st usin* *Q*N **n*l**

Reasoning

T** vuln*r**ility st*ms *rom improp*r TLS *on*i*ur*tion s*l**tion w**n t** *ost *****r is *n *Q*N (wit*/wit*out * tr*ilin* *ot) or w**n *N*M* *l*tt*nin* is *n**l**. T** pull r*qu*st #**** in*i**t*s *ix*s in TLS *on*i*ur*tion lo*i* to *li*n wit* routi

7.4

Basic Information

Concerned about an active attack path?

CVE-2022-23632: Skip the router TLS configuration when the host header is an FQDN

Impact

Patches

Workarounds

For more information

7.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI