CVE-2023-29013 — Uncontrolled Resource Consumption in Traefik

CWE-400 — Uncontrolled Resource Consumption4 documents4 sources

Severity

7.5HIGHNVD

EPSS

2.9%

top 13.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Traefik Github.com Traefik Traefik V2

Timeline

PublishedApr 14

Description

Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer for deploying microservices. There is a vulnerability in Go when parsing the HTTP headers, which impacts Traefik. HTTP header parsing could allocate substantially more memory than required to hold the parsed headers. This behavior could be exploited to cause a denial of service. This issue has been patched in versions 2.9.10 and 2.10.0-rc2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5traefik/traefik< 2.9.10+1

▶NVDtraefik/traefik< 2.9.10+1

▶Gogithub.com/traefik_traefik_v22.10.0-rc1 — 2.10.0-rc2+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

HTTP header parsing could cause a deny of service↗2023-04-14

▶

OSV

Traefik HTTP header parsing could cause a denial of service↗2023-04-11

▶

GHSA

Traefik HTTP header parsing could cause a denial of service↗2023-04-11

▶