GHSA-m697-4v8f-55qg
Suggest an improvement- Source
- https://github.com/advisories/GHSA-m697-4v8f-55qg
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-m697-4v8f-55qg/GHSA-m697-4v8f-55qg.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-m697-4v8f-55qg
- Aliases
- Published
- 2021-08-05T17:04:21Z
- Modified
- 2024-08-21T16:28:49.934499Z
- Severity
-
- 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- Header dropping in traefik
- Details
-
Impact
There exists a potential header vulnerability in Traefik's handling of the Connection header. Active exploitation of this issue is unlikely, as it requires that a removed header would lead to a privilege escalation, however, the Traefik team has addressed this issue to prevent any potential abuse.
Details
If you have a chain of Traefik middlewares, and one of them sets a request header
Important-Security-Header, then sending a request with the following Connection header will cause it to be removed before the request was sent:curl 'https://example.com' -H "Connection: Important-Security-Header" -0In this case, the backend does not see the request header
Important-Security-Header.Patches
Traefik v2.4.x: https://github.com/traefik/traefik/releases/tag/v2.4.13
Workarounds
No.
For more information
If you have any questions or comments about this advisory, open an issue.
- Database specific
{ "nvd_published_at": "2021-08-03T23:15:00Z", "github_reviewed_at": "2021-08-04T18:54:19Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-913" ] }- References
Affected packages
Go / github.com/traefik/traefik/v2
Package
- Name
- github.com/traefik/traefik/v2
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/traefik/traefik/v2
Go / github.com/traefik/traefik
Package
- Name
- github.com/traefik/traefik
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/traefik/traefik