GHSA-7hj9-rv74-5g92

Suggest an improvement
Source
https://github.com/advisories/GHSA-7hj9-rv74-5g92
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-7hj9-rv74-5g92/GHSA-7hj9-rv74-5g92.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-7hj9-rv74-5g92
Aliases
Published
2023-04-11T20:59:22Z
Modified
2023-11-08T04:12:16.047391Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Traefik HTTP header parsing could cause a denial of service
Details

Impact

There is a vulnerability in Go when parsing the HTTP headers, which impacts Traefik. HTTP header parsing could allocate substantially more memory than required to hold the parsed headers. This behavior could be exploited to cause a denial of service.

References

Patches

  • https://github.com/traefik/traefik/releases/tag/v2.9.10
  • https://github.com/traefik/traefik/releases/tag/v2.10.0-rc2

Workarounds

No workaround.

For more information

If you have any questions or comments about this advisory, please open an issue.

Database specific
{
    "nvd_published_at": "2023-04-14T19:15:00Z",
    "cwe_ids": [
        "CWE-400"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-11T20:59:22Z"
}
References

Affected packages

Go / github.com/traefik/traefik/v2

Package

Name
github.com/traefik/traefik/v2
View open source insights on deps.dev
Purl
pkg:golang/github.com/traefik/traefik/v2

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.9.10

Go / github.com/traefik/traefik/v2

Package

Name
github.com/traefik/traefik/v2
View open source insights on deps.dev
Purl
pkg:golang/github.com/traefik/traefik/v2

Affected ranges

Type
SEMVER
Events
Introduced
2.10.0-rc1
Fixed
2.10.0-rc2

Affected versions

2.*

2.10.0-rc1