ALT-PU-2024-12000-2
Closed vulnerabilities
Published: 2023-10-10
BDU:2023-06559
Уязвимость реализации протокола HTTP/2, связанная с возможностью формирования потока запросов в рамках уже установленного сетевого соединения, без открытия новых сетевых соединений и без подтверждения получения пакетов, позволяющая нарушителю вызвать отказ в обслуживании
Severity: HIGH (7.5)
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2023-11-28
BDU:2024-03430
Уязвимость обратного прокси сервера Containous Traefik, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании
Severity: HIGH (7.5)
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2023-10-10
Modified: 2025-04-03
Modified: 2025-04-03
CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Severity: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
- [oss-security] 20231010 CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- [oss-security] 20231010 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- [oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- [oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- [oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- [oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- [oss-security] 20231018 Vulnerability in Jenkins
- [oss-security] 20231018 Vulnerability in Jenkins
- [oss-security] 20231018 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- [oss-security] 20231018 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- [oss-security] 20231019 CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST
- [oss-security] 20231019 CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST
- [oss-security] 20231020 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- [oss-security] 20231020 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- https://access.redhat.com/security/cve/cve-2023-44487
- https://access.redhat.com/security/cve/cve-2023-44487
- https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/
- https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/
- https://aws.amazon.com/security/security-bulletins/AWS-2023-011/
- https://aws.amazon.com/security/security-bulletins/AWS-2023-011/
- https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
- https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
- https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/
- https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/
- https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/
- https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/
- https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack
- https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack
- https://blog.vespa.ai/cve-2023-44487/
- https://blog.vespa.ai/cve-2023-44487/
- https://bugzilla.proxmox.com/show_bug.cgi?id=4988
- https://bugzilla.proxmox.com/show_bug.cgi?id=4988
- https://bugzilla.redhat.com/show_bug.cgi?id=2242803
- https://bugzilla.redhat.com/show_bug.cgi?id=2242803
- https://bugzilla.suse.com/show_bug.cgi?id=1216123
- https://bugzilla.suse.com/show_bug.cgi?id=1216123
- https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9
- https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9
- https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/
- https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/
- https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
- https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
- https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125
- https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125
- https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715
- https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715
- https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve
- https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve
- https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764
- https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764
- https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088
- https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088
- https://github.com/advisories/GHSA-qppj-fm5r-hxr3
- https://github.com/advisories/GHSA-qppj-fm5r-hxr3
- https://github.com/advisories/GHSA-vx74-f528-fxqg
- https://github.com/advisories/GHSA-vx74-f528-fxqg
- https://github.com/advisories/GHSA-xpw8-rcwv-8f8p
- https://github.com/advisories/GHSA-xpw8-rcwv-8f8p
- https://github.com/akka/akka-http/issues/4323
- https://github.com/akka/akka-http/issues/4323
- https://github.com/alibaba/tengine/issues/1872
- https://github.com/alibaba/tengine/issues/1872
- https://github.com/apache/apisix/issues/10320
- https://github.com/apache/apisix/issues/10320
- https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113
- https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113
- https://github.com/apache/httpd-site/pull/10
- https://github.com/apache/httpd-site/pull/10
- https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2
- https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2
- https://github.com/apache/trafficserver/pull/10564
- https://github.com/apache/trafficserver/pull/10564
- https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487
- https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487
- https://github.com/Azure/AKS/issues/3947
- https://github.com/Azure/AKS/issues/3947
- https://github.com/bcdannyboy/CVE-2023-44487
- https://github.com/bcdannyboy/CVE-2023-44487
- https://github.com/caddyserver/caddy/issues/5877
- https://github.com/caddyserver/caddy/issues/5877
- https://github.com/caddyserver/caddy/releases/tag/v2.7.5
- https://github.com/caddyserver/caddy/releases/tag/v2.7.5
- https://github.com/dotnet/announcements/issues/277
- https://github.com/dotnet/announcements/issues/277
- https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73
- https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73
- https://github.com/eclipse/jetty.project/issues/10679
- https://github.com/eclipse/jetty.project/issues/10679
- https://github.com/envoyproxy/envoy/pull/30055
- https://github.com/envoyproxy/envoy/pull/30055
- https://github.com/etcd-io/etcd/issues/16740
- https://github.com/etcd-io/etcd/issues/16740
- https://github.com/facebook/proxygen/pull/466
- https://github.com/facebook/proxygen/pull/466
- https://github.com/golang/go/issues/63417
- https://github.com/golang/go/issues/63417
- https://github.com/grpc/grpc/releases/tag/v1.59.2
- https://github.com/grpc/grpc-go/pull/6703
- https://github.com/grpc/grpc-go/pull/6703
- https://github.com/h2o/h2o/pull/3291
- https://github.com/h2o/h2o/pull/3291
- https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf
- https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf
- https://github.com/haproxy/haproxy/issues/2312
- https://github.com/haproxy/haproxy/issues/2312
- https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244
- https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244
- https://github.com/junkurihara/rust-rpxy/issues/97
- https://github.com/junkurihara/rust-rpxy/issues/97
- https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1
- https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1
- https://github.com/kazu-yamamoto/http2/issues/93
- https://github.com/kazu-yamamoto/http2/issues/93
- https://github.com/Kong/kong/discussions/11741
- https://github.com/Kong/kong/discussions/11741
- https://github.com/kubernetes/kubernetes/pull/121120
- https://github.com/kubernetes/kubernetes/pull/121120
- https://github.com/line/armeria/pull/5232
- https://github.com/line/armeria/pull/5232
- https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632
- https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632
- https://github.com/micrictor/http2-rst-stream
- https://github.com/micrictor/http2-rst-stream
- https://github.com/microsoft/CBL-Mariner/pull/6381
- https://github.com/microsoft/CBL-Mariner/pull/6381
- https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61
- https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61
- https://github.com/nghttp2/nghttp2/pull/1961
- https://github.com/nghttp2/nghttp2/pull/1961
- https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0
- https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0
- https://github.com/ninenines/cowboy/issues/1615
- https://github.com/ninenines/cowboy/issues/1615
- https://github.com/nodejs/node/pull/50121
- https://github.com/nodejs/node/pull/50121
- https://github.com/openresty/openresty/issues/930
- https://github.com/openresty/openresty/issues/930
- https://github.com/opensearch-project/data-prepper/issues/3474
- https://github.com/opensearch-project/data-prepper/issues/3474
- https://github.com/oqtane/oqtane.framework/discussions/3367
- https://github.com/oqtane/oqtane.framework/discussions/3367
- https://github.com/projectcontour/contour/pull/5826
- https://github.com/projectcontour/contour/pull/5826
- https://github.com/tempesta-tech/tempesta/issues/1986
- https://github.com/tempesta-tech/tempesta/issues/1986
- https://github.com/varnishcache/varnish-cache/issues/3996
- https://github.com/varnishcache/varnish-cache/issues/3996
- https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo
- https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo
- https://istio.io/latest/news/security/istio-security-2023-004/
- https://istio.io/latest/news/security/istio-security-2023-004/
- https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/
- https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/
- https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q
- https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q
- [debian-lts-announce] 20231013 [SECURITY] [DLA 3617-1] tomcat9 security update
- [debian-lts-announce] 20231013 [SECURITY] [DLA 3617-1] tomcat9 security update
- [debian-lts-announce] 20231016 [SECURITY] [DLA 3621-1] nghttp2 security update
- [debian-lts-announce] 20231016 [SECURITY] [DLA 3621-1] nghttp2 security update
- [debian-lts-announce] 20231016 [SECURITY] [DLA 3617-2] tomcat9 regression update
- [debian-lts-announce] 20231016 [SECURITY] [DLA 3617-2] tomcat9 regression update
- [debian-lts-announce] 20231030 [SECURITY] [DLA 3641-1] jetty9 security update
- [debian-lts-announce] 20231030 [SECURITY] [DLA 3641-1] jetty9 security update
- [debian-lts-announce] 20231031 [SECURITY] [DLA 3638-1] h2o security update
- [debian-lts-announce] 20231031 [SECURITY] [DLA 3638-1] h2o security update
- [debian-lts-announce] 20231105 [SECURITY] [DLA 3645-1] trafficserver security update
- [debian-lts-announce] 20231105 [SECURITY] [DLA 3645-1] trafficserver security update
- [debian-lts-announce] 20231119 [SECURITY] [DLA 3656-1] netty security update
- [debian-lts-announce] 20231119 [SECURITY] [DLA 3656-1] netty security update
- FEDORA-2023-c0c6a91330
- FEDORA-2023-7b52921cae
- FEDORA-2023-0259c3f26f
- FEDORA-2023-4bf641255e
- FEDORA-2023-d5030c983c
- FEDORA-2023-4d2fd884ea
- FEDORA-2023-dbe64661af
- FEDORA-2023-5ff7bf1dd8
- FEDORA-2023-ed2642fd58
- FEDORA-2023-fe53e13b5b
- FEDORA-2023-f66fc0f62a
- FEDORA-2023-b2c50535cb
- FEDORA-2023-1caffb88af
- FEDORA-2023-3f70b8d406
- FEDORA-2023-492b7be466
- FEDORA-2023-17efd3f2cd
- FEDORA-2023-e9c04d81c1
- FEDORA-2023-822aab0a5a
- FEDORA-2023-7934802344
- FEDORA-2023-54fadada12
- FEDORA-2023-2a9214af5f
- FEDORA-2023-c0c6a91330
- FEDORA-2023-7b52921cae
- FEDORA-2023-0259c3f26f
- FEDORA-2023-4bf641255e
- FEDORA-2023-d5030c983c
- FEDORA-2023-4d2fd884ea
- FEDORA-2023-dbe64661af
- FEDORA-2023-5ff7bf1dd8
- FEDORA-2023-ed2642fd58
- FEDORA-2023-fe53e13b5b
- FEDORA-2023-f66fc0f62a
- FEDORA-2023-b2c50535cb
- FEDORA-2023-1caffb88af
- FEDORA-2023-3f70b8d406
- FEDORA-2023-492b7be466
- FEDORA-2023-17efd3f2cd
- FEDORA-2023-e9c04d81c1
- FEDORA-2023-822aab0a5a
- FEDORA-2023-7934802344
- FEDORA-2023-54fadada12
- FEDORA-2023-2a9214af5f
- https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html
- https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html
- https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html
- https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html
- https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html
- https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html
- https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/
- https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487
- https://my.f5.com/manage/s/article/K000137106
- https://my.f5.com/manage/s/article/K000137106
- https://netty.io/news/2023/10/10/4-1-100-Final.html
- https://netty.io/news/2023/10/10/4-1-100-Final.html
- https://news.ycombinator.com/item?id=37830987
- https://news.ycombinator.com/item?id=37830987
- https://news.ycombinator.com/item?id=37830998
- https://news.ycombinator.com/item?id=37830998
- https://news.ycombinator.com/item?id=37831062
- https://news.ycombinator.com/item?id=37831062
- https://news.ycombinator.com/item?id=37837043
- https://news.ycombinator.com/item?id=37837043
- https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/
- https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/
- https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected
- https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected
- GLSA-202311-09
- GLSA-202311-09
- https://security.netapp.com/advisory/ntap-20231016-0001/
- https://security.netapp.com/advisory/ntap-20231016-0001/
- https://security.netapp.com/advisory/ntap-20240426-0007/
- https://security.netapp.com/advisory/ntap-20240426-0007/
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://security.netapp.com/advisory/ntap-20240621-0007/
- https://security.netapp.com/advisory/ntap-20240621-0007/
- https://security.paloaltonetworks.com/CVE-2023-44487
- https://security.paloaltonetworks.com/CVE-2023-44487
- https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14
- https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14
- https://ubuntu.com/security/CVE-2023-44487
- https://ubuntu.com/security/CVE-2023-44487
- https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/
- https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/
- https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487
- https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487
- https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event
- https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event
- DSA-5521
- DSA-5521
- DSA-5522
- DSA-5522
- DSA-5540
- DSA-5540
- DSA-5549
- DSA-5549
- DSA-5558
- DSA-5558
- DSA-5570
- DSA-5570
- https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487
- https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487
- https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/
- https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/
- https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/
- https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/
- https://www.openwall.com/lists/oss-security/2023/10/10/6
- https://www.openwall.com/lists/oss-security/2023/10/10/6
- https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack
- https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack
- https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/
- https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/
- https://www.vicarius.io/vsociety/posts/rapid-reset-cve-2023-44487-dos-in-http2-understanding-the-root-cause
Published: 2023-12-05
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2023-47106
Traefik is an open source HTTP reverse proxy and load balancer. When a request is sent to Traefik with a URL fragment, Traefik automatically URL encodes and forwards the fragment to the backend server. This violates RFC 7230 because in the origin-form the URL should only contain the absolute path and the query. When this is combined with another frontend proxy like Nginx, it can be used to bypass frontend proxy URI-based access control restrictions. This vulnerability has been addressed in versions 2.10.6 and 3.0.0-beta5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
References:
- https://datatracker.ietf.org/doc/html/rfc7230#section-5.3.1
- https://datatracker.ietf.org/doc/html/rfc7230#section-5.3.1
- https://github.com/traefik/traefik/releases/tag/v2.10.6
- https://github.com/traefik/traefik/releases/tag/v2.10.6
- https://github.com/traefik/traefik/releases/tag/v3.0.0-beta5
- https://github.com/traefik/traefik/releases/tag/v3.0.0-beta5
- https://github.com/traefik/traefik/security/advisories/GHSA-fvhj-4qfh-q2hm
- https://github.com/traefik/traefik/security/advisories/GHSA-fvhj-4qfh-q2hm
Published: 2023-12-05
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2023-47124
Traefik is an open source HTTP reverse proxy and load balancer. When Traefik is configured to use the `HTTPChallenge` to generate and renew the Let's Encrypt TLS certificates, the delay authorized to solve the challenge (50 seconds) can be exploited by attackers to achieve a `slowloris attack`. This vulnerability has been patch in version 2.10.6 and 3.0.0-beta5. Users are advised to upgrade. Users unable to upgrade should replace the `HTTPChallenge` with the `TLSChallenge` or the `DNSChallenge`.
Severity: MEDIUM (5.9)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
- https://doc.traefik.io/traefik/https/acme/#dnschallenge
- https://doc.traefik.io/traefik/https/acme/#dnschallenge
- https://doc.traefik.io/traefik/https/acme/#httpchallenge
- https://doc.traefik.io/traefik/https/acme/#httpchallenge
- https://doc.traefik.io/traefik/https/acme/#tlschallenge
- https://doc.traefik.io/traefik/https/acme/#tlschallenge
- https://github.com/traefik/traefik/releases/tag/v2.10.6
- https://github.com/traefik/traefik/releases/tag/v2.10.6
- https://github.com/traefik/traefik/releases/tag/v3.0.0-beta5
- https://github.com/traefik/traefik/releases/tag/v3.0.0-beta5
- https://github.com/traefik/traefik/security/advisories/GHSA-8g85-whqh-cr2f
- https://github.com/traefik/traefik/security/advisories/GHSA-8g85-whqh-cr2f
- https://www.cloudflare.com/learning/ddos/ddos-attack-tools/slowloris
- ttps://www.cloudflare.com/learning/ddos/ddos-attack-tools/slowloris/
Published: 2023-12-05
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2023-47633
Traefik is an open source HTTP reverse proxy and load balancer. The traefik docker container uses 100% CPU when it serves as its own backend, which is an automatically generated route resulting from the Docker integration in the default configuration. This issue has been addressed in versions 2.10.6 and 3.0.0-beta5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
- https://github.com/traefik/traefik/releases/tag/v2.10.6
- https://github.com/traefik/traefik/releases/tag/v2.10.6
- https://github.com/traefik/traefik/releases/tag/v3.0.0-beta5
- https://github.com/traefik/traefik/releases/tag/v3.0.0-beta5
- https://github.com/traefik/traefik/security/advisories/GHSA-6fwg-jrfw-ff7p
- https://github.com/traefik/traefik/security/advisories/GHSA-6fwg-jrfw-ff7p