GHSA-4vwx-54mw-vqfw

Source

https://github.com/advisories/GHSA-4vwx-54mw-vqfw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-4vwx-54mw-vqfw/GHSA-4vwx-54mw-vqfw.json

Aliases

CVE-2024-28869

Published

2024-04-12T17:05:13Z

Modified

2024-04-15T19:41:13Z

Details

There is a potential vulnerability in Traefik managing requests with Content-length and no body .

Sending a GET request to any Traefik endpoint with the Content-length request header results in an indefinite hang with the default configuration. This vulnerability can be exploited by attackers to induce a denial of service.

Patches

https://github.com/traefik/traefik/releases/tag/v2.11.2
https://github.com/traefik/traefik/releases/tag/v3.0.0-rc5

Workarounds

For affected versions, this vulnerability can be mitigated by configuring the readTimeout option.

For more information

If you have any questions or comments about this advisory, please open an issue.

References

Affected packages

Go / github.com/traefik/traefik/v3

Package

Name: github.com/traefik/traefik/v3

Affected ranges

Type: SEMVER
Events: Introduced

3.0.0-beta3

Fixed

3.0.0-rc5

Database specific

{
    "last_known_affected_version_range": "<= 3.0.0-rc4"
}

Go / github.com/traefik/traefik/v2

Package

Name: github.com/traefik/traefik/v2

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Fixed

2.11.2

Database specific

{
    "last_known_affected_version_range": "<= 2.11.1"
}

Go / github.com/traefik/traefik

Package

Name: github.com/traefik/traefik

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Fixed

2.11.2

Database specific

{
    "last_known_affected_version_range": "<= 2.11.1"
}