x/vulndb: potential Go vuln in github.com/traefik/traefik/v2: GHSA-h2ph-vhm7-g4hp

[GoVulnBot]

In GitHub Security Advisory GHSA-h2ph-vhm7-g4hp, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/traefik/traefik/v2	2.9.6	< 2.9.6

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: TODO
    versions:
      - fixed: 2.9.6
    packages:
      - package: github.com/traefik/traefik/v2
description: |-
    ### Impact

    There is a potential vulnerability in Traefik displaying the Authorization header in its debug logs.

    Traefik uses [oxy](https://github.com/vulcand/oxy) to provide the following features:

    - Round Robin: https://doc.traefik.io/traefik/routing/services/#weighted-round-robin-service
    - Buffering: https://doc.traefik.io/traefik/middlewares/http/buffering/
    - Circuit Breaker: https://doc.traefik.io/traefik/middlewares/http/circuitbreaker/
    - In-Flight Requests: https://doc.traefik.io/traefik/middlewares/http/inflightreq/

    In such cases, if the log level is set to DEBUG, the credentials provided using the Authorization header are displayed in the debug logs:

    ```
    level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\\"Method\\":\\"POST\\",\\"URL\\":{\\"Scheme\\":\\"\\",\\"Opaque\\":\\"\\",\\"User\\":null,\\"Host\\":\\"\\",\\"Path\\":\\"/<redacted>/<redacted>\\",\\"RawPath\\":\\"\\",\\"ForceQuery\\":false,\\"RawQuery\\":\\"\\",\\"Fragment\\":\\"\\",\\"RawFragment\\":\\"\\"},\\"Proto\\":\\"HTTP/2.0\\",\\"ProtoMajor\\":2,\\"ProtoMinor\\":0,\\"Header\\":{\\"Authorization\\":[\\"Bearer <token value was here>\\"],\\"Content-Type\\":[\\"application/grpc\\"],\\"Grpc-Accept-Encoding\\":[\\"gzip\\"],\\"Grpc-Timeout\\":[\\"29999886u\\"],\\"Te\\":[\\"trailers\\"],\\"User-Agent\\":[\\"<redacted>\\"],<remainder of log message removed>
    ```

    ### Patches

    https://github.com/traefik/traefik/pull/9574
    https://github.com/traefik/traefik/releases/tag/v2.9.6

    ### Workarounds

    Set the log level to `INFO`, `WARN`, or `ERROR`.

    ### For more information

    If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).
cves:
  - CVE-2022-23469
ghsas:
  - GHSA-h2ph-vhm7-g4hp

[gopherbot]

Change https://go.dev/cl/457635 mentions this issue: data/excluded: batch add GO-2022-1164, GO-2022-1161, GO-2022-1160, GO-2022-1158, GO-2022-1154, GO-2022-1153, GO-2022-1152, GO-2022-1151, GO-2022-1147, GO-2022-1162, GO-2022-1150

[gopherbot]

Change https://go.dev/cl/457636 mentions this issue: data/excluded: batch add GO-2022-1164, GO-2022-1161, GO-2022-1160, GO-2022-1154, GO-2022-1153, GO-2022-1152, GO-2022-1151, GO-2022-1147, GO-2022-1162, GO-2022-1150

[gopherbot]

Change https://go.dev/cl/592835 mentions this issue: data/reports: unexclude 50 reports

[gopherbot]

Change https://go.dev/cl/607231 mentions this issue: data/reports: unexclude 20 reports (29)