## Impact There is a potential vulnerability in Traefik NGINX provider managing the `nginx.ingress.kubernetes.io/proxy-ssl-verify` annotation. The provider inverts the semantics of the `nginx.ingress.kubernetes.io/proxy-ssl-verify` annotation. Setting the annotation to `"on"` (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected. ## Patches - https://github.com/traefik/traefik/releases/tag/v3.6.3 ## For more information If you have any questions or comments …
GHSA-7vww-mvcr-x6vj: Traefik Inverted TLS Verification Logic in ingress-nginx Provider
Traefik NGINX provider vulnerability inverts TLS verification logic, allowing man-in-the-middle attacks on HTTPS backends when verification is intended to be enabled.