Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00dnd4LTU0bXctdnFmd84AA69W
Traefik vulnerable to denial of service with Content-length header
There is a potential vulnerability in Traefik managing requests with Content-length
and no body
.
Sending a GET
request to any Traefik endpoint with the Content-length
request header results in an indefinite hang with the default configuration. This vulnerability can be exploited by attackers to induce a denial of service.
Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.2
- https://github.com/traefik/traefik/releases/tag/v3.0.0-rc5
Workarounds
For affected versions, this vulnerability can be mitigated by configuring the readTimeout option.
For more information
If you have any questions or comments about this advisory, please open an issue.
Permalink: https://github.com/advisories/GHSA-4vwx-54mw-vqfwJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00dnd4LTU0bXctdnFmd84AA69W
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 21 days ago
Updated: 18 days ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-4vwx-54mw-vqfw, CVE-2024-28869
References:
- https://github.com/traefik/traefik/security/advisories/GHSA-4vwx-54mw-vqfw
- https://github.com/traefik/traefik/releases/tag/v2.11.2
- https://github.com/traefik/traefik/releases/tag/v3.0.0-rc5
- https://nvd.nist.gov/vuln/detail/CVE-2024-28869
- https://github.com/traefik/traefik/commit/240b83b77351dfd8cadb91c305b84e9d22e0f9c6
- https://doc.traefik.io/traefik/routing/entrypoints/#respondingtimeouts
- https://github.com/advisories/GHSA-4vwx-54mw-vqfw
Blast Radius: 12.9
Affected Packages
go:github.com/traefik/traefik
Dependent packages: 4Dependent repositories: 2
Downloads:
Affected Version Ranges: <= 2.11.1
Fixed in: 2.11.2
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.7.9, 1.7.10, 1.7.11, 1.7.12, 1.7.13, 1.7.14, 1.7.15, 1.7.16, 1.7.17, 1.7.18, 1.7.19, 1.7.20, 1.7.21, 1.7.22, 1.7.23, 1.7.24, 1.7.25, 1.7.26, 1.7.27, 1.7.28, 1.7.29, 1.7.30, 1.7.31, 1.7.32, 1.7.33, 1.7.34
All unaffected versions:
go:github.com/traefik/traefik/v2
Dependent packages: 44Dependent repositories: 52
Downloads:
Affected Version Ranges: <= 2.11.1
Fixed in: 2.11.2
All affected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.10, 2.2.11, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9, 2.4.10, 2.4.11, 2.4.12, 2.4.13, 2.4.14, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.8.8, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.9.7, 2.9.8, 2.9.9, 2.9.10, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.10.5, 2.10.6, 2.10.7, 2.11.0, 2.11.1
All unaffected versions: 2.11.2
go:github.com/traefik/traefik/v3
Dependent packages: 0Dependent repositories: 2
Downloads:
Affected Version Ranges: >= 3.0.0-beta3, <= 3.0.0-rc4
Fixed in: 3.0.0-rc5
All affected versions: 3.0.0-beta3, 3.0.0-beta4, 3.0.0-beta5, 3.0.0-rc1, 3.0.0-rc2, 3.0.0-rc3, 3.0.0-rc4
All unaffected versions: