### Impact
There is a potential vulnerability in Traefik displaying the Authorization header in its debug logs.
Traefik uses [oxy](https://github.com/vulcand/oxy) to provide the following features:
– Round Robin: https://doc.traefik.io/traefik/routing/services/#weighted-round-robin-service
– Buffering: https://doc.traefik.io/traefik/middlewares/http/buffering/
– Circuit Breaker: https://doc.traefik.io/traefik/middlewares/http/circuitbreaker/
– In-Flight Requests: https://doc.traefik.io/traefik/middlewares/http/inflightreq/
In such cases, if the log level is set to DEBUG, the credentials provided using the Authorization header are displayed in the debug logs:
“`
level=debug msg=”vulcand/oxy/roundrobin/rr: completed ServeHttp on request” Request=”{\”Method\”:\”POST\”,\”URL\”:{\”Scheme\”:\”\”,\”Opaque\”:\”\”,\”User\”:null,\”Host\”:\”\”,\”Path\”:\”//\”,\”RawPath\”:\”\”,\”ForceQuery\”:false,\”RawQuery\”:\”\”,\”Fragment\”:\”\”,\”RawFragment\”:\”\”},\”Proto\”:\”HTTP/2.0\”,\”ProtoMajor\”:2,\”ProtoMinor\”:0,\”Header\”:{\”Authorization\”:[\”Bearer \”],\”Content-Type\”:[\”application/grpc\”],\”Grpc-Accept-Encoding\”:[\”gzip\”],\”Grpc-Timeout\”:[\”29999886u\”],\”Te\”:[\”trailers\”],\”User-Agent\”:[\”\”],
“`
### Patches
https://github.com/traefik/traefik/pull/9574
https://github.com/traefik/traefik/releases/tag/v2.9.6
### Workarounds
Set the log level to `INFO`, `WARN`, or `ERROR`.
### For more information
If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).Read More
References
Back to Main