CVE-2022-39271Uncontrolled Resource Consumption in Traefik Traefik V2

CWE-400Uncontrolled Resource ConsumptionCWE-755Improper Handling of Exceptional Conditions6 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.6%
top 31.44%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Github.com Traefik Traefik V2Traefik
Timeline
PublishedOct 11
Latest updateApr 15

Description

Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer that assists in deploying microservices. There is a potential vulnerability in Traefik managing HTTP/2 connections. A closing HTTP/2 server connection could hang forever because of a subsequent fatal error. This failure mode could be exploited to cause a denial of service. There has been a patch released in versions 2.8.8 and 2.9.0-rc5. There are currently no known workarounds.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDtraefik/traefik< 2.8.8+1
Gogithub.com/traefik_traefik_v22.9.0-rc12.9.0-rc5+1
CVEListV5traefik/traefik < 2.8.8, >= 2.9.0-rc1, < 2.9.0-rc5+1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
CVEList
Traefik HTTP/2 connections management could cause a denial of service2022-10-11
GHSA
Traefik HTTP/2 connections management could cause a denial of service2022-10-10
OSV
Traefik HTTP/2 connections management could cause a denial of service2022-10-10

📋Vendor Advisories

2
Oracle
Oracle Oracle Communications Applications Risk Matrix: Security (Traefik) — CVE-2022-392712023-04-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: Cloud Native (Traefik) — CVE-2022-392712023-01-15
CVE-2022-39271 — Uncontrolled Resource Consumption | cvebase