Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03aGo5LXJ2NzQtNWc5Ms4AAyrs
Traefik HTTP header parsing could cause a denial of service
Impact
There is a vulnerability in Go when parsing the HTTP headers, which impacts Traefik.
HTTP header parsing could allocate substantially more memory than required to hold the parsed headers. This behavior could be exploited to cause a denial of service.
References
Patches
- https://github.com/traefik/traefik/releases/tag/v2.9.10
- https://github.com/traefik/traefik/releases/tag/v2.10.0-rc2
Workarounds
No workaround.
For more information
If you have any questions or comments about this advisory, please open an issue.
Permalink: https://github.com/advisories/GHSA-7hj9-rv74-5g92JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03aGo5LXJ2NzQtNWc5Ms4AAyrs
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: 11 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-7hj9-rv74-5g92, CVE-2023-29013
References:
- https://github.com/traefik/traefik/security/advisories/GHSA-7hj9-rv74-5g92
- https://github.com/traefik/traefik/commit/4ed3964b3586565519249bbdc55eb1b961c08c49
- https://github.com/advisories/GHSA-8v5j-pwr7-w5f8
- https://github.com/traefik/traefik/releases/tag/v2.10.0-rc2
- https://github.com/traefik/traefik/releases/tag/v2.9.10
- https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8/m/OV40vnafAwAJ
- https://nvd.nist.gov/vuln/detail/CVE-2023-29013
- https://security.netapp.com/advisory/ntap-20230517-0008/
- https://github.com/advisories/GHSA-7hj9-rv74-5g92
Blast Radius: 12.9
Affected Packages
go:github.com/traefik/traefik/v2
Dependent packages: 44Dependent repositories: 52
Downloads:
Affected Version Ranges: = 2.10.0-rc1, < 2.9.10
Fixed in: 2.10.0-rc2, 2.9.10
All affected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.10, 2.2.11, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9, 2.4.10, 2.4.11, 2.4.12, 2.4.13, 2.4.14, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.8.8, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.9.7, 2.9.8, 2.9.9, 2.10.0-rc1
All unaffected versions: 2.9.10, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.10.5, 2.10.6, 2.10.7, 2.11.0, 2.11.1, 2.11.2