CVE-2023-47106: 
NixOS vulnerability analysis and mitigation

Traefik, an open source HTTP reverse proxy and load balancer, was found to have a vulnerability (CVE-2023-47106) where it incorrectly processes URL fragments. When a request is sent to Traefik with a URL fragment, it automatically URL encodes and forwards the fragment to the backend server, violating RFC 7230 which specifies that the origin-form URL should only contain the absolute path and query. This vulnerability was discovered and disclosed in December 2023, affecting versions up to 2.10.5 and 3.0.0-beta4 (GitHub Advisory).

The vulnerability stems from Traefik's handling of URL fragments where it automatically URL encodes and forwards fragments to backend servers. This behavior violates RFC 7230 specifications regarding URL origin-form requirements. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (NVD).

When this vulnerability is combined with another frontend proxy like Nginx, it can be used to bypass frontend proxy URI-based access control restrictions. For example, if Nginx is configured to deny access to /admin paths, an attacker could bypass this restriction by requesting '/#/../admin', which Traefik would encode to '/%23/../admin', effectively circumventing the access controls (GitHub Advisory).

This vulnerability has been patched in Traefik versions 2.10.6 and 3.0.0-beta5. Users are advised to upgrade to these or later versions. There are no known workarounds for this vulnerability other than upgrading to a patched version (GitHub Release, GitHub Release).