CVE-2023-47124
published 2023-12-04CVE-2023-47124: Traefik is an open source HTTP reverse proxy and load balancer. When Traefik is configured to use the `HTTPChallenge` to generate and renew the Let's Encrypt…
PriorityP429medium5.9CVSS 3.1
AVNACHPRNUINSUCNINAH
EPSS
0.79%
51.7th percentile
Traefik is an open source HTTP reverse proxy and load balancer. When Traefik is configured to use the `HTTPChallenge` to generate and renew the Let's Encrypt TLS certificates, the delay authorized to solve the challenge (50 seconds) can be exploited by attackers to achieve a `slowloris attack`. This vulnerability has been patch in version 2.10.6 and 3.0.0-beta5. Users are advised to upgrade. Users unable to upgrade should replace the `HTTPChallenge` with the `TLSChallenge` or the `DNSChallenge`.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | traefik_traefik_v2 | >= 0 < 2.10.6 | 2.10.6 |
| github.com | traefik_traefik_v3 | >= 0 < 3.0.0-beta5 | 3.0.0-beta5 |
| traefik | traefik | < 2.10.6 | 2.10.6 |
| traefik | traefik | <= 2.10.5 | — |
| traefik | traefik | — | — |
| traefik | traefik | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Traefik vulnerable to potential DDoS via ACME HTTPChallenge in github.com/traefik/traefik
osv·2024-08-21
CVE-2023-47124 Traefik vulnerable to potential DDoS via ACME HTTPChallenge in github.com/traefik/traefik
Traefik vulnerable to potential DDoS via ACME HTTPChallenge in github.com/traefik/traefik
Traefik vulnerable to potential DDoS via ACME HTTPChallenge in github.com/traefik/traefik
OSV
Traefik vulnerable to potential DDoS via ACME HTTPChallenge
osv·2023-12-05
CVE-2023-47124 [MEDIUM] Traefik vulnerable to potential DDoS via ACME HTTPChallenge
Traefik vulnerable to potential DDoS via ACME HTTPChallenge
## Impact
There is a potential vulnerability in Traefik managing the ACME HTTP challenge.
When Traefik is configured to use the [HTTPChallenge](https://doc.traefik.io/traefik/https/acme/#httpchallenge) to generate and renew the Let's Encrypt TLS certificates, the delay authorized to solve the challenge (50 seconds) can be exploited by attackers ([slowloris attack](https://www.cloudflare.com/learning/ddos/ddos-attack-tools/slowloris/)).
## Patches
- https://github.com/traefik/traefik/releases/tag/v2.10.6
- https://github.com/traefik/traefik/releases/tag/v3.0.0-beta5
## Workarounds
Replace the HTTPChallenge with the [TLSChallenge](https://doc.traefik.io/traefik/https/acme/#tlschallenge) or the [DNSChallenge](https://doc.traef
GHSA
Traefik vulnerable to potential DDoS via ACME HTTPChallenge
ghsa·2023-12-05
CVE-2023-47124 [MEDIUM] CWE-400 Traefik vulnerable to potential DDoS via ACME HTTPChallenge
Traefik vulnerable to potential DDoS via ACME HTTPChallenge
## Impact
There is a potential vulnerability in Traefik managing the ACME HTTP challenge.
When Traefik is configured to use the [HTTPChallenge](https://doc.traefik.io/traefik/https/acme/#httpchallenge) to generate and renew the Let's Encrypt TLS certificates, the delay authorized to solve the challenge (50 seconds) can be exploited by attackers ([slowloris attack](https://www.cloudflare.com/learning/ddos/ddos-attack-tools/slowloris/)).
## Patches
- https://github.com/traefik/traefik/releases/tag/v2.10.6
- https://github.com/traefik/traefik/releases/tag/v3.0.0-beta5
## Workarounds
Replace the HTTPChallenge with the [TLSChallenge](https://doc.traefik.io/traefik/https/acme/#tlschallenge) or the [DNSChallenge](https://doc.traef
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://doc.traefik.io/traefik/https/acme/#dnschallengehttps://doc.traefik.io/traefik/https/acme/#httpchallengehttps://doc.traefik.io/traefik/https/acme/#tlschallengehttps://github.com/traefik/traefik/releases/tag/v2.10.6https://github.com/traefik/traefik/releases/tag/v3.0.0-beta5https://github.com/traefik/traefik/security/advisories/GHSA-8g85-whqh-cr2fhttps://www.cloudflare.com/learning/ddos/ddos-attack-tools/slowlorishttps://doc.traefik.io/traefik/https/acme/#dnschallengehttps://doc.traefik.io/traefik/https/acme/#httpchallengehttps://doc.traefik.io/traefik/https/acme/#tlschallengehttps://github.com/traefik/traefik/releases/tag/v2.10.6https://github.com/traefik/traefik/releases/tag/v3.0.0-beta5https://github.com/traefik/traefik/security/advisories/GHSA-8g85-whqh-cr2fttps://www.cloudflare.com/learning/ddos/ddos-attack-tools/slowloris/
2023-12-04
Published