CVE-2022-46153

MEDIUM6.5EPSS 0.40%

Traefik routes exposed with an empty TLSOption

Published: 12/8/2022Modified: 2/4/2026

Also known as:GHSA-468w-8x39-gj5vCGA-v8g7-cmwh-ffrfGO-2022-1152

Description

## Impact There is a potential vulnerability in Traefik managing the TLS connections. A router configured with a not well-formatted [TLSOption](https://doc.traefik.io/traefik/v2.9/https/tls/#tls-options) is exposed with an empty TLSOption. For instance, a route secured using an mTLS connection set with a wrong CA file is exposed without verifying the client certificates. ## Patches https://github.com/traefik/traefik/releases/tag/v2.9.6 ## Workarounds Check the logs to detect the following error messages and fix your TLS options: - Empty CA: ``` {"level":"error","msg":"invalid clientAuthType: RequireAndVerifyClientCert, CAFiles is required","routerName":"Router0@file"} ``` - Bad CA content (or bad path): ``` {"level":"error","msg":"invalid certificate(s) content","routerName":"Router0@file"} ``` - Unknown Client Auth Type: ``` {"level":"error","msg":"unknown client auth type \"FooClientAuthType\"","routerName":"Router0@file"} ``` - Invalid cipherSuites ``` {"level":"error","msg":"invalid CipherSuite: foobar","routerName":"Router0@file"} ``` - Invalid curvePreferences ``` {"level":"error","msg":"invalid CurveID in curvePreferences: foobar","routerName":"Router0@file"} ``` ## For more information If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).

Affected packages (3)

Go/github.com/traefik/traefikfrom 0
Go/github.com/traefik/traefik/v2from 0, < 2.9.6
Go/github.com/traefik/traefik/v2from 0, < 2.9.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Description

Affected packages (3)

CVSS scores

References (6)