Login Sign Up

CVE-2022-23632

7.4 HIGH

📋 TL;DR

Traefik versions before 2.6.1 incorrectly handle TLS configuration when requests use fully qualified domain names (FQDNs) in the Host header, potentially causing the wrong TLS certificate to be used. This affects all Traefik deployments using custom TLS configurations with FQDN routing. Attackers could exploit this to intercept or manipulate encrypted traffic.

💻 Affected Systems

Products:
  • Traefik
Versions: All versions before 2.6.1
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Only affects deployments using custom TLS router configurations with FQDN host rules. CNAME flattening exacerbates the issue.

📦 What is this software?

Communications Unified Inventory Management by Oracle

View all CVEs affecting Communications Unified Inventory Management →

Traefik by Traefik

View all CVEs affecting Traefik →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Man-in-the-middle attacks where encrypted traffic is decrypted using incorrect certificates, potentially exposing sensitive data or enabling credential theft.

🟠

Likely Case

TLS configuration mismatch causing certificate warnings for users or service disruption when expected certificates aren't presented.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though TLS misconfigurations could still cause service issues.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires ability to send HTTP requests with FQDN Host headers to vulnerable Traefik instances.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.6.1

Vendor Advisory: https://github.com/traefik/traefik/security/advisories/GHSA-hrhx-6h34-j5hc

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Update Traefik to version 2.6.1 or later. 3. Restart Traefik service. 4. Verify TLS configurations work correctly with FQDN requests.

🔧 Temporary Workarounds

Add FQDN to host rules

all

Explicitly add FQDNs to router host rules to ensure correct TLS configuration selection

Modify Traefik router configurations to include FQDNs in host rules

🧯 If You Can't Patch

  • Implement network-level TLS inspection and monitoring
  • Use WAF or reverse proxy in front of Traefik to validate TLS configurations

🔍 How to Verify

Check if Vulnerable:

Check Traefik version and verify if using custom TLS configurations with FQDN routing

Check Version:

traefik version

Verify Fix Applied:

Test requests with FQDN Host headers verify correct TLS certificates are presented

📡 Detection & Monitoring

Log Indicators:

  • TLS handshake errors
  • Certificate mismatch warnings
  • Unexpected TLS configuration changes

Network Indicators:

  • Unexpected certificate presentations
  • TLS protocol anomalies

SIEM Query:

Search for Traefik logs containing 'TLS' and 'configuration' errors or warnings

📊 Metadata

CVE ID: CVE-2022-23632
CVSS v3 Score: 7.4 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-295
Published: February 17, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-23632, you might also want to check these:

CVE-2025-68121 10.0

This vulnerability in Go's crypto/tls package allows TLS session resumption to succeed when it shoul...

Same vulnerability type (CWE-295)
CVE-2024-5261 9.8

LibreOfficeKit mode in LibreOffice versions before 24.2.4 disables TLS certificate verification when...

Same vulnerability type (CWE-295)
CVE-2023-51837 9.8

MeshCentral 1.1.16 fails to properly validate SSL certificates when establishing connections, allowi...

Same vulnerability type (CWE-295)