CVE-2023-47124Missing Release of Resource after Effective Lifetime in Traefik

CWE-772Missing Release of Resource after Effective LifetimeCWE-400Uncontrolled Resource Consumption5 documents4 sources
Severity
5.9MEDIUMNVD
EPSS
0.2%
top 54.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
TraefikGithub.com Traefik Traefik V2Github.com Traefik Traefik V3
Timeline
PublishedDec 4
Latest updateAug 21

Description

Traefik is an open source HTTP reverse proxy and load balancer. When Traefik is configured to use the `HTTPChallenge` to generate and renew the Let's Encrypt TLS certificates, the delay authorized to solve the challenge (50 seconds) can be exploited by attackers to achieve a `slowloris attack`. This vulnerability has been patch in version 2.10.6 and 3.0.0-beta5. Users are advised to upgrade. Users unable to upgrade should replace the `HTTPChallenge` with the `TLSChallenge` or the `DNSChallenge`.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages4 packages

CVEListV5traefik/traefik< 2.10.6+1
NVDtraefik/traefik2.10.5+1

🔴Vulnerability Details

4
OSV
Traefik vulnerable to potential DDoS via ACME HTTPChallenge in github.com/traefik/traefik2024-08-21
OSV
Traefik vulnerable to potential DDoS via ACME HTTPChallenge2023-12-05
GHSA
Traefik vulnerable to potential DDoS via ACME HTTPChallenge2023-12-05
CVEList
Denial of service whith ACME HTTPChallenge in Traefik2023-12-04
CVE-2023-47124 — Traefik vulnerability | cvebase