CVE-2022-23469 LOW

CVE-2022-23469: Authorization header displayed in the debug logs

Vendor Traefik
Product traefik
Weakness CWE-200 · Info exposure
Published December 8, 2022
Last update April 22, 2025

CVSS base score

3.5/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

Traefik is an open source HTTP reverse proxy and load balancer. Versions prior to 2.9.6 are subject to a potential vulnerability in Traefik displaying the Authorization header in its debug logs. In certain cases, if the log level is set to DEBUG, credentials provided using the Authorization header are displayed in the debug logs. Attackers must have access to a users logging system in order for credentials to be stolen. This issue has been addressed in version 2.9.6. Users are advised to upgrade. Users unable to upgrade may set the log level to `INFO`, `WARN`, or `ERROR`.

Key dates

02Disclosure timeline

December 8, 2022 CVE published
April 22, 2025 Record updated