CVE-2019-12452 : Vulnerability Insights and Analysis

In Containous Traefik versions 1.7.x through 1.7.11, a vulnerability exists that allows remote authenticated users to uncover sensitive information through the exposed API.

Understanding CVE-2019-12452

This CVE describes a security issue in Containous Traefik versions 1.7.x through 1.7.11 that can lead to the exposure of password hashes and keys.

What is CVE-2019-12452?

The presence of the --api flag and the publicly accessible API without proper access control can allow authenticated users to discover password hashes and keys.
This vulnerability is due to the API being exposed contrary to the documentation, enabling users to access sensitive information.

The Impact of CVE-2019-12452

Remote authenticated users can read Basic HTTP Authentication or Digest HTTP Authentication sections to uncover password hashes.
Users can also reveal a key by reading the ClientTLS section in the JSON response obtained from a /api request.

Technical Details of CVE-2019-12452

Vulnerability Description

The vulnerability arises when the --api flag is used, and the API lacks sufficient access control, contrary to the documentation.

Affected Systems and Versions

Containous Traefik versions 1.7.x through 1.7.11 are affected by this vulnerability.

Exploitation Mechanism

Remote authenticated users can exploit this vulnerability by accessing the exposed API and reading specific sections to uncover sensitive information.

Mitigation and Prevention

Immediate Steps to Take

Disable the --api flag if not required for operation.
Implement proper access controls to restrict unauthorized access to the API.

Long-Term Security Practices

Regularly review and update access control policies for APIs.
Conduct security assessments to identify and address vulnerabilities proactively.

Patching and Updates

Apply patches or updates provided by Containous to address this vulnerability.