Traefik may display authorization header in the debug logs

### Impact

There is a potential vulnerability in Traefik displaying the Authorization header in its debug logs.

Traefik uses [oxy]( to provide the following features:

– Round Robin:
– Buffering:
– Circuit Breaker:
– In-Flight Requests:

In such cases, if the log level is set to DEBUG, the credentials provided using the Authorization header are displayed in the debug logs:

level=debug msg=”vulcand/oxy/roundrobin/rr: completed ServeHttp on request” Request=”{\”Method\”:\”POST\”,\”URL\”:{\”Scheme\”:\”\”,\”Opaque\”:\”\”,\”User\”:null,\”Host\”:\”\”,\”Path\”:\”//\”,\”RawPath\”:\”\”,\”ForceQuery\”:false,\”RawQuery\”:\”\”,\”Fragment\”:\”\”,\”RawFragment\”:\”\”},\”Proto\”:\”HTTP/2.0\”,\”ProtoMajor\”:2,\”ProtoMinor\”:0,\”Header\”:{\”Authorization\”:[\”Bearer \”],\”Content-Type\”:[\”application/grpc\”],\”Grpc-Accept-Encoding\”:[\”gzip\”],\”Grpc-Timeout\”:[\”29999886u\”],\”Te\”:[\”trailers\”],\”User-Agent\”:[\”\”],

### Patches

### Workarounds

Set the log level to `INFO`, `WARN`, or `ERROR`.

### For more information

If you have any questions or comments about this advisory, please [open an issue]( More

Back to Main

Subscribe for the latest news:
%d bloggers like this: