We are aware of the vulnerability reported by Daniel Abeles and Gal Goldsthein of Oxeye to us on June 13, 2022 and we have published a release with a bug fix for Traefik Proxy on June 27, 2022, and for Traefik Enterprise on June 28, 2022.
If you use a query parameter negation in Traefik Proxy versions 2.6.7 to 2.7.1 or Traefik Enterprise 2.5.0 to 2.6.5 you may be vulnerable. Other versions are not affected.
When ParseThru was first reported, it was classified as non-critical because exploiting this vulnerability required using a query parameter negation as a routing rule on a secure route which is an anti-pattern for best practices.
If your network is set up with query parameter negations on a secure route and you have access logs currently enabled, you can use a log aggregation tool to query for requests attempting to use the semicolon “;” parameter maliciously. Access logs do not look backward, enabling them now will not give you past data.
If you are in this situation, we highly recommend you to upgrade to the latest version of Traefik Proxy or Traefik Enterprise.
As always, please feel free to ask any questions on this thread.
We welcome security vulnerability reports using this form.