GitHub Advisory DatabaseGHSA-7HJ9-RV74-5G92Traefik HTTP header parsing could cause a denial of service
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.002 Low
EPSS
Percentile
59.8%
Impact
There is a vulnerability in Go when parsing the HTTP headers, which impacts Traefik.
HTTP header parsing could allocate substantially more memory than required to hold the parsed headers. This behavior could be exploited to cause a denial of service.
References
Patches
- https://github.com/traefik/traefik/releases/tag/v2.9.10
- https://github.com/traefik/traefik/releases/tag/v2.10.0-rc2
Workarounds
No workaround.
For more information
If you have any questions or comments about this advisory, please open an issue.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| github.com/traefik/traefik/v2 | eq | 2.10.0-rc1 | |
| github.com/traefik/traefik/v2 | lt | 2.9.10 |
References
github.com/advisories/GHSA-7hj9-rv74-5g92
github.com/advisories/GHSA-8v5j-pwr7-w5f8
github.com/traefik/traefik/commit/4ed3964b3586565519249bbdc55eb1b961c08c49
github.com/traefik/traefik/releases/tag/v2.10.0-rc2
github.com/traefik/traefik/releases/tag/v2.9.10
github.com/traefik/traefik/security/advisories/GHSA-7hj9-rv74-5g92
groups.google.com/g/golang-announce/c/Xdv6JL9ENs8/m/OV40vnafAwAJ
nvd.nist.gov/vuln/detail/CVE-2023-29013
security.netapp.com/advisory/ntap-20230517-0008/
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.002 Low
EPSS
Percentile
59.8%