Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS03aGo5LXJ2NzQtNWc5Ms4AAyrs

Traefik HTTP header parsing could cause a denial of service

Impact

There is a vulnerability in Go when parsing the HTTP headers, which impacts Traefik.
HTTP header parsing could allocate substantially more memory than required to hold the parsed headers. This behavior could be exploited to cause a denial of service.

References

• CVE-2023-24534

Patches

• https://github.com/traefik/traefik/releases/tag/v2.9.10
• https://github.com/traefik/traefik/releases/tag/v2.10.0-rc2

Workarounds

No workaround.

For more information

If you have any questions or comments about this advisory, please open an issue.

Permalink: https://github.com/advisories/GHSA-7hj9-rv74-5g92
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03aGo5LXJ2NzQtNWc5Ms4AAyrs
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: 11 months ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-7hj9-rv74-5g92, CVE-2023-29013
References:

• https://github.com/traefik/traefik/security/advisories/GHSA-7hj9-rv74-5g92
• https://github.com/traefik/traefik/commit/4ed3964b3586565519249bbdc55eb1b961c08c49
• https://github.com/advisories/GHSA-8v5j-pwr7-w5f8
• https://github.com/traefik/traefik/releases/tag/v2.10.0-rc2
• https://github.com/traefik/traefik/releases/tag/v2.9.10
• https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8/m/OV40vnafAwAJ
• https://nvd.nist.gov/vuln/detail/CVE-2023-29013
• https://security.netapp.com/advisory/ntap-20230517-0008/
• https://github.com/advisories/GHSA-7hj9-rv74-5g92

Repository: https://github.com/traefik/traefik
Blast Radius: 12.9

Affected Packages