CVE-2019-20894

Traefik 2.x, in certain configurations, allows HTTPS sessions to proceed without mutual TLS verification in a situation where ERR_BAD_SSL_CLIENT_AUTH_CERT should have occurred.

Published: Jul 2, 2020
Updated: May 9, 2024
CVE: CVE-2019-20894
GHSA: GHSA-q9mp-79cp-9g8j
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:P/I:N/A:N

CWEs:

CWE-287
CWE-295

OWASP TOP 10:

A2 - Broken Authentication
A3 - Sensitive Data Exposure

Affected Software
References

Software	From	Fixed in
traefik / traefik	2.0.0	2.0.1
github.com/traefik/traefik/v2	-	2.2.2

https://github.com/containous/traefik/commit/2b353971696717e980521b0e4baa1eba66c8d2bf
https://github.com/containous/traefik/issues/5312
https://github.com/containous/traefik/pull/7008

Vulnerability Database

CVE-2019-20894

Deep Security Visibility Without the Complexity