{"url":"http://public2.vulnerablecode.io/api/packages/87039?format=json","purl":"pkg:golang/github.com/containous/traefik/v2/pkg/api@2.3.0-rc3","type":"golang","namespace":"github.com/containous/traefik/v2/pkg","name":"api","version":"2.3.0-rc3","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"2.2.8","latest_non_vulnerable_version":"2.3.0-rc3","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50691?format=json","vulnerability_id":"VCID-5u7e-b8nf-tqdc","summary":"Traefik vulnerable to Open Redirect via handling of X-Forwarded-Prefix header\n## Summary\n\nThere exists a potential open redirect vulnerability in Traefik's handling of the `X-Forwarded-Prefix` header. Active Exploitation of this issue is unlikely as it would require active header injection, however the Traefik team addressed this issue nonetheless to prevent abuse in e.g. cache poisoning scenarios.\n\n## Details\n\nThe Traefik API dashboard component doesn't validate that the value of the header `X-Forwarded-Prefix` is a site relative path and will redirect to any header provided URI.\n\ne.g.\n\n```\n$ curl --header 'Host:traefik.localhost' --header 'X-Forwarded-Prefix:https://example.org' 'http://localhost:8081'\n<a href=\"https://example.org/dashboard/\">Found</a>.`\n```\n\n### Impact\nA successful exploitation of an open redirect can be used to entice victims to disclose sensitive information.\n\n### Workarounds\n\nBy using the `headers` middleware, the request header `X-Forwarded-Prefix` value can be overridden by the value `.` (dot)\n\n- https://docs.traefik.io/v2.2/middlewares/headers/#customrequestheaders\n- https://docs.traefik.io/v1.7/basics/#custom-headers\n\n### For more information\n\nIf you have any questions or comments about this advisory, open an issue in [Traefik](https://github.com/containous/traefik/issues).\n\n## Credit\n\nThis issue was found by the GitHub Application Security Team and reported on behalf of the GHAS by the GitHub Security Lab Team.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-15129","reference_id":"","reference_type":"","scores":[{"value":"0.76842","scoring_system":"epss","scoring_elements":"0.98975","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-15129"},{"reference_url":"https://github.com/containous/traefik/commit/cfa04c300c5db95ae8a52c31a9d973b6dd9c2254","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/containous/traefik/commit/cfa04c300c5db95ae8a52c31a9d973b6dd9c2254"},{"reference_url":"https://github.com/containous/traefik/commit/e63db782c11c7b8bfce30be4c902e7ef8f9f33d2","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/containous/traefik/commit/e63db782c11c7b8bfce30be4c902e7ef8f9f33d2"},{"reference_url":"https://github.com/containous/traefik/pull/7109","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/containous/traefik/pull/7109"},{"reference_url":"https://github.com/containous/traefik/releases/tag/v1.7.26","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/containous/traefik/releases/tag/v1.7.26"},{"reference_url":"https://github.com/containous/traefik/releases/tag/v2.2.8","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/containous/traefik/releases/tag/v2.2.8"},{"reference_url":"https://github.com/containous/traefik/releases/tag/v2.3.0-rc3","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/containous/traefik/releases/tag/v2.3.0-rc3"},{"reference_url":"https://github.com/containous/traefik/security/advisories/GHSA-6qq8-5wq3-86rp","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/containous/traefik/security/advisories/GHSA-6qq8-5wq3-86rp"},{"reference_url":"https://github.com/traefik/traefik","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/traefik/traefik"},{"reference_url":"https://github.com/traefik/traefik/commit/e2c5f3712f68993de8ed3cb30da9ec0aa11acb09","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/traefik/traefik/commit/e2c5f3712f68993de8ed3cb30da9ec0aa11acb09"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15129","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15129"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/87038?format=json","purl":"pkg:golang/github.com/containous/traefik/v2/pkg/api@2.2.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/containous/traefik/v2/pkg/api@2.2.8"},{"url":"http://public2.vulnerablecode.io/api/packages/87039?format=json","purl":"pkg:golang/github.com/containous/traefik/v2/pkg/api@2.3.0-rc3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/containous/traefik/v2/pkg/api@2.3.0-rc3"}],"aliases":["CVE-2020-15129","GHSA-6qq8-5wq3-86rp"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5u7e-b8nf-tqdc"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/containous/traefik/v2/pkg/api@2.3.0-rc3"}