Home > Vulnerability Database > CVE-2023-47106

Mend.io Vulnerability Database

CVE-2023-47106

Good to know:

Date: December 4, 2023

Traefik is an open source HTTP reverse proxy and load balancer. When a request is sent to Traefik with a URL fragment, Traefik automatically URL encodes and forwards the fragment to the backend server. This violates RFC 7230 because in the origin-form the URL should only contain the absolute path and the query. When this is combined with another frontend proxy like Nginx, it can be used to bypass frontend proxy URI-based access control restrictions. This vulnerability has been addressed in versions 2.10.6 and 3.0.0-beta5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Language: Go

Severity Score

4.8

Related Resources (7)

Url: https://datatracker.ietf.org/doc/html/rfc7230#section-5.3.1

Url: https://github.com/traefik/traefik/security/advisories/GHSA-fvhj-4qfh-q2hm

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-47106

Url: https://github.com/traefik/traefik

Url: https://github.com/traefik/traefik/releases/tag/v2.10.6

Url: https://github.com/traefik/traefik/releases/tag/v3.0.0-beta5

Url: https://www.mend.io/vulnerability-database/CVE-2023-47106

Severity Score

4.8

Weakness Type (CWE)

Input Validation

CWE-20

Improper Handling of URL Encoding (Hex Encoding)

CWE-177

Top Fix

Upgrade Version

Upgrade to version v2.10.6

Learn More

CVSS v3.1

Base Score:	4.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-47106

Good to know:

Date: December 4, 2023

Language: Go

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?