Login Sign Up

CVE-2020-9321

7.5 HIGH

📋 TL;DR

Traefik 2.x before 2.1.4 and TraefikEE 2.0.0 fail to properly purge certificate contents before logging, potentially exposing sensitive TLS certificate data in log files. This affects administrators using these versions with certificate providers. The vulnerability allows attackers with access to logs to obtain private certificate information.

💻 Affected Systems

Products:
  • Traefik
  • TraefikEE
Versions: Traefik 2.0.0 through 2.1.3, TraefikEE 2.0.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems using certificate providers with logging enabled.

📦 What is this software?

Traefik by Traefik

View all CVEs affecting Traefik →

Traefik Enterprise by Traefik

View all CVEs affecting Traefik Enterprise →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain access to private TLS certificates, enabling man-in-the-middle attacks, decryption of encrypted traffic, or impersonation of legitimate services.

🟠

Likely Case

Sensitive certificate data leaks into log files, which could be accessed by unauthorized users or attackers with log access, compromising TLS security.

🟢

If Mitigated

With proper log access controls and monitoring, the exposed data remains protected, though the vulnerability still exists in the software.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to log files where certificate data may be exposed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Traefik 2.1.4, TraefikEE 2.0.1

Vendor Advisory: https://github.com/containous/traefik/releases/tag/v2.1.4

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Update Traefik to version 2.1.4 or later. 3. Restart Traefik service. 4. Verify logs no longer contain certificate data.

🔧 Temporary Workarounds

Disable detailed logging

all

Reduce logging verbosity to prevent certificate data from being written to logs.

traefik --log.level=ERROR

Restrict log file access

linux

Set strict permissions on log files to prevent unauthorized access.

chmod 600 /var/log/traefik/*.log
chown traefik:traefik /var/log/traefik/*.log

🧯 If You Can't Patch

  • Implement strict access controls on log directories and files
  • Monitor log files for unusual access patterns or certificate data exposure

🔍 How to Verify

Check if Vulnerable:

Check Traefik version: traefik version. If version is between 2.0.0 and 2.1.3, or TraefikEE 2.0.0, the system is vulnerable.

Check Version:

traefik version

Verify Fix Applied:

After patching, verify version is 2.1.4 or later and check logs for any certificate data exposure.

📡 Detection & Monitoring

Log Indicators:

  • Certificate private keys or sensitive data appearing in log files
  • Unexpected access to log files containing certificate information

Network Indicators:

  • Unusual TLS certificate validation failures
  • Man-in-the-middle attack indicators

SIEM Query:

source="traefik.log" AND ("PRIVATE KEY" OR "CERTIFICATE" OR sensitive certificate data patterns)

📊 Metadata

CVE ID: CVE-2020-9321
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-295
Published: March 16, 2020
Last Updated: March 6, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-9321, you might also want to check these:

CVE-2025-68121 10.0

This vulnerability in Go's crypto/tls package allows TLS session resumption to succeed when it shoul...

Same vulnerability type (CWE-295)
CVE-2024-5261 9.8

LibreOfficeKit mode in LibreOffice versions before 24.2.4 disables TLS certificate verification when...

Same vulnerability type (CWE-295)
CVE-2023-51837 9.8

MeshCentral 1.1.16 fails to properly validate SSL certificates when establishing connections, allowi...

Same vulnerability type (CWE-295)