Traefik Kubernetes CRD Provider Cross-Namespace Middleware Bypass Vulnerability

A vulnerability exists in Traefik's Kubernetes Custom Resource Definition (CRD) provider regarding cross-namespace isolation. When the 'allowCrossNamespace' option is set to false, Traefik properly rejects direct cross-namespace middleware references in IngressRoute objects. However, it does not enforce the same restriction for middleware references within a Chain middleware's 'spec.chain.middlewares[]' array. This flaw allows users with permission to create or update Traefik CRDs in their own namespace to reference and apply middleware from other namespaces, circumventing the intended isolation. This issue affects Traefik versions through 2.11.42, 3.6.13, and 3.7.0-rc.1.

Impact

Exploitation of this vulnerability allows for unauthorized cross-namespace middleware binding, enabling the application of middleware from one namespace to resources in another, contrary to the established isolation policies.

Reproduction

To reproduce this vulnerability, create a Chain middleware in a namespace with 'allowCrossNamespace' set to false. Include references to middleware located in a different namespace. When the IngressRoute is processed, Traefik will incorrectly apply the cross-namespace middleware, bypassing the isolation enforcement.

Remediation

Users can upgrade to Traefik versions 2.11.43, 3.6.14, or 3.7.0-rc.2, all of which include the necessary patch to address this vulnerability.