Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms.
When the username does not exist, the response returns immediately in ~0.6ms. This ~298x timing difference is observable over the network and allows an unauthenticated attacker to reliably distinguish valid from invalid usernames. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
High
Difficult to exploit
Attack Requirements
None
No additional conditions
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
None
No data leak
Integrity
None
No data modification
Availability
None
No disruption
CVSS Vector v4.0
Weakness Type (CWE)
Vulnerable Products 3
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Traefik Traefik
cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*
|
— |
2.11.41
|
|
Traefik Traefik
cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*
|
3.0.0
|
<= 3.6.11
|
|
Traefik Traefik
cpe:2.3:a:traefik:traefik:3.7.0:ea1:*:*:*:*:*:*
|
— | — |
References 4
https://github.com/traefik/traefik/releases/tag/v2.11.41
security-advisories@github.com
https://github.com/traefik/traefik/releases/tag/v3.6.11
security-advisories@github.com
https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.2
security-advisories@github.com
https://github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr
security-advisories@github.com