Site icon API Security Blog

Traefik may display authorization header in the debug logs

### Impact

There is a potential vulnerability in Traefik displaying the Authorization header in its debug logs.

Traefik uses [oxy](https://github.com/vulcand/oxy) to provide the following features:

– Round Robin: https://doc.traefik.io/traefik/routing/services/#weighted-round-robin-service
– Buffering: https://doc.traefik.io/traefik/middlewares/http/buffering/
– Circuit Breaker: https://doc.traefik.io/traefik/middlewares/http/circuitbreaker/
– In-Flight Requests: https://doc.traefik.io/traefik/middlewares/http/inflightreq/

In such cases, if the log level is set to DEBUG, the credentials provided using the Authorization header are displayed in the debug logs:

“`
level=debug msg=”vulcand/oxy/roundrobin/rr: completed ServeHttp on request” Request=”{\”Method\”:\”POST\”,\”URL\”:{\”Scheme\”:\”\”,\”Opaque\”:\”\”,\”User\”:null,\”Host\”:\”\”,\”Path\”:\”//\”,\”RawPath\”:\”\”,\”ForceQuery\”:false,\”RawQuery\”:\”\”,\”Fragment\”:\”\”,\”RawFragment\”:\”\”},\”Proto\”:\”HTTP/2.0\”,\”ProtoMajor\”:2,\”ProtoMinor\”:0,\”Header\”:{\”Authorization\”:[\”Bearer \”],\”Content-Type\”:[\”application/grpc\”],\”Grpc-Accept-Encoding\”:[\”gzip\”],\”Grpc-Timeout\”:[\”29999886u\”],\”Te\”:[\”trailers\”],\”User-Agent\”:[\”\”],
“`

### Patches

https://github.com/traefik/traefik/pull/9574
https://github.com/traefik/traefik/releases/tag/v2.9.6

### Workarounds

Set the log level to `INFO`, `WARN`, or `ERROR`.

### For more information

If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).Read More

Exit mobile version