GHSA-4vwx-54mw-vqfw

Suggest an improvement
Source
https://github.com/advisories/GHSA-4vwx-54mw-vqfw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-4vwx-54mw-vqfw/GHSA-4vwx-54mw-vqfw.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4vwx-54mw-vqfw
Aliases
Related
Published
2024-04-12T17:05:13Z
Modified
2024-06-05T16:43:10.450612Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Traefik vulnerable to denial of service with Content-length header
Details

There is a potential vulnerability in Traefik managing requests with Content-length and no body .

Sending a GET request to any Traefik endpoint with the Content-length request header results in an indefinite hang with the default configuration. This vulnerability can be exploited by attackers to induce a denial of service.

Patches

  • https://github.com/traefik/traefik/releases/tag/v2.11.2
  • https://github.com/traefik/traefik/releases/tag/v3.0.0-rc5

Workarounds

For affected versions, this vulnerability can be mitigated by configuring the readTimeout option.

For more information

If you have any questions or comments about this advisory, please open an issue.

Database specific
{
    "nvd_published_at": "2024-04-12T22:15:07Z",
    "cwe_ids": [
        "CWE-404",
        "CWE-755"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-12T17:05:13Z"
}
References

Affected packages

Go / github.com/traefik/traefik/v3

Package

Name
github.com/traefik/traefik/v3
View open source insights on deps.dev
Purl
pkg:golang/github.com/traefik/traefik/v3

Affected ranges

Type
SEMVER
Events
Introduced
3.0.0-beta3
Fixed
3.0.0-rc5

Database specific

{
    "last_known_affected_version_range": "<= 3.0.0-rc4"
}

Go / github.com/traefik/traefik/v2

Package

Name
github.com/traefik/traefik/v2
View open source insights on deps.dev
Purl
pkg:golang/github.com/traefik/traefik/v2

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.11.2

Database specific

{
    "last_known_affected_version_range": "<= 2.11.1"
}

Go / github.com/traefik/traefik

Package

Name
github.com/traefik/traefik
View open source insights on deps.dev
Purl
pkg:golang/github.com/traefik/traefik

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.11.2

Database specific

{
    "last_known_affected_version_range": "<= 2.11.1"
}