Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04Zzg1LXdocWgtY3IyZs4AA3kv
Traefik vulnerable to potential DDoS via ACME HTTPChallenge
Impact
There is a potential vulnerability in Traefik managing the ACME HTTP challenge.
When Traefik is configured to use the HTTPChallenge to generate and renew the Let's Encrypt TLS certificates, the delay authorized to solve the challenge (50 seconds) can be exploited by attackers (slowloris attack).
Patches
- https://github.com/traefik/traefik/releases/tag/v2.10.6
- https://github.com/traefik/traefik/releases/tag/v3.0.0-beta5
Workarounds
Replace the HTTPChallenge with the TLSChallenge or the DNSChallenge.
For more information
If you have any questions or comments about this advisory, please open an issue.
Permalink: https://github.com/advisories/GHSA-8g85-whqh-cr2fJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04Zzg1LXdocWgtY3IyZs4AA3kv
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 5 months ago
Updated: 5 months ago
CVSS Score: 5.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-8g85-whqh-cr2f, CVE-2023-47124
References:
- https://github.com/traefik/traefik/security/advisories/GHSA-8g85-whqh-cr2f
- https://nvd.nist.gov/vuln/detail/CVE-2023-47124
- https://doc.traefik.io/traefik/https/acme/#dnschallenge
- https://doc.traefik.io/traefik/https/acme/#httpchallenge
- https://doc.traefik.io/traefik/https/acme/#tlschallenge
- https://github.com/traefik/traefik/releases/tag/v2.10.6
- https://github.com/traefik/traefik/releases/tag/v3.0.0-beta5
- https://www.cloudflare.com/learning/ddos/ddos-attack-tools/slowloris/
- https://github.com/advisories/GHSA-8g85-whqh-cr2f
Blast Radius: 10.1
Affected Packages
go:github.com/traefik/traefik/v3
Dependent packages: 0Dependent repositories: 2
Downloads:
Affected Version Ranges: < 3.0.0-beta5
Fixed in: 3.0.0-beta5
All affected versions: 3.0.0-beta1, 3.0.0-beta2, 3.0.0-beta3, 3.0.0-beta4
All unaffected versions: 3.0.0
go:github.com/traefik/traefik/v2
Dependent packages: 44Dependent repositories: 52
Downloads:
Affected Version Ranges: < 2.10.6
Fixed in: 2.10.6
All affected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.10, 2.2.11, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9, 2.4.10, 2.4.11, 2.4.12, 2.4.13, 2.4.14, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.8.8, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.9.7, 2.9.8, 2.9.9, 2.9.10, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.10.5
All unaffected versions: 2.10.6, 2.10.7, 2.11.0, 2.11.1, 2.11.2