CVE-2024-52003 — Open Redirect in Traefik

CWE-601 — Open Redirect5 documents4 sources

Severity

6.3MEDIUMNVD

EPSS

0.2%

top 60.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Traefik Github.com Traefik Traefik V2 Github.com Traefik Traefik V3

Timeline

PublishedNov 29

Latest updateDec 2

Description

Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. There is a vulnerability in Traefik that allows the client to provide the X-Forwarded-Prefix header from an untrusted source. This issue has been addressed in versions 2.11.14 and 3.2.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages4 packages

▶CVEListV5traefik/traefik< 2.11.14+1

▶NVDtraefik/traefik3.0.0 — 3.2.1+1

▶Gogithub.com/traefik_traefik_v2< 2.11.14

▶Gogithub.com/traefik_traefik_v3< 3.2.1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Traefik's X-Forwarded-Prefix Header still allows for Open Redirect↗2024-12-02

▶

OSV

Traefik's X-Forwarded-Prefix Header still allows for Open Redirect in github.com/traefik/traefik↗2024-12-02

▶

GHSA

Traefik's X-Forwarded-Prefix Header still allows for Open Redirect↗2024-12-02

▶

CVEList

X-Forwarded-Prefix Header still allows for Open Redirect in traefik↗2024-11-29

▶