ALT-PU-2024-1883-3

BDU:2023-06559

HIGH7.5

Уязвимость реализации протокола HTTP/2, связанная с возможностью формирования потока запросов в рамках уже установленного сетевого соединения, без открытия новых сетевых соединений и без подтверждения получения пакетов, позволяющая нарушителю вызвать отказ в обслуживании

Опубликовано: 2023-10-11Изменено: 2026-05-06

CVSS 3.xВЫСОКАЯ 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0ВЫСОКАЯ 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C

Ссылки

CVE-2023-44487

BDU:2024-03430

HIGH7.5

Уязвимость обратного прокси сервера Containous Traefik, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

Опубликовано: 2024-05-02

CVSS 3.xВЫСОКАЯ 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0ВЫСОКАЯ 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C

Ссылки

CVE-2023-47633

CVE-2023-44487

HIGH7.5

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Опубликовано: 2023-10-10Изменено: 2025-11-07

CVSS 3.xВЫСОКАЯ 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Ссылки

CVE-2023-47106

MEDIUM6.5

Traefik is an open source HTTP reverse proxy and load balancer. When a request is sent to Traefik with a URL fragment, Traefik automatically URL encodes and forwards the fragment to the backend server. This violates RFC 7230 because in the origin-form the URL should only contain the absolute path and the query. When this is combined with another frontend proxy like Nginx, it can be used to bypass frontend proxy URI-based access control restrictions. This vulnerability has been addressed in versions 2.10.6 and 3.0.0-beta5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Опубликовано: 2023-12-04Изменено: 2024-11-21

CVSS 3.xСРЕДНЯЯ 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Ссылки

CVE-2023-47124

MEDIUM5.9

Traefik is an open source HTTP reverse proxy and load balancer. When Traefik is configured to use the `HTTPChallenge` to generate and renew the Let's Encrypt TLS certificates, the delay authorized to solve the challenge (50 seconds) can be exploited by attackers to achieve a `slowloris attack`. This vulnerability has been patch in version 2.10.6 and 3.0.0-beta5. Users are advised to upgrade. Users unable to upgrade should replace the `HTTPChallenge` with the `TLSChallenge` or the `DNSChallenge`.

Опубликовано: 2023-12-04Изменено: 2024-11-21

CVSS 3.xСРЕДНЯЯ 5.9

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Ссылки

CVE-2023-47633

HIGH7.5

Traefik is an open source HTTP reverse proxy and load balancer. The traefik docker container uses 100% CPU when it serves as its own backend, which is an automatically generated route resulting from the Docker integration in the default configuration. This issue has been addressed in versions 2.10.6 and 3.0.0-beta5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Опубликовано: 2023-12-04Изменено: 2024-11-21

CVSS 3.xВЫСОКАЯ 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Ссылки

GHSA-6fwg-jrfw-ff7p

HIGH7.5

Traefik docker container using 100% CPU

Опубликовано: 2023-12-05Изменено: 2023-12-05

CVSS 3.xВЫСОКАЯ 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Ссылки

GHSA-8g85-whqh-cr2f

MEDIUM5.9

Traefik vulnerable to potential DDoS via ACME HTTPChallenge

Опубликовано: 2023-12-05Изменено: 2024-11-19

CVSS 3.xСРЕДНЯЯ 5.9

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Ссылки

GHSA-fvhj-4qfh-q2hm

MEDIUM6.5

Traefik incorrectly processes fragment in the URL, leads to Authorization Bypass

Опубликовано: 2023-12-05Изменено: 2023-12-08

CVSS 3.xСРЕДНЯЯ 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Ссылки

GHSA-m425-mq94-257g

HIGH7.5

gRPC-Go HTTP/2 Rapid Reset vulnerability

Опубликовано: 2023-10-26Изменено: 2024-07-19

CVSS 3.xВЫСОКАЯ 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Ссылки

GHSA-qppj-fm5r-hxr3

MEDIUM6.9

HTTP/2 Stream Cancellation Attack

Опубликовано: 2023-10-11Изменено: 2025-10-22

CVSS 3.x

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H

CVSS 4.0

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:A

Ссылки

GHSA-xpw8-rcwv-8f8p

HIGH7.5

io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset Attack

Опубликовано: 2023-10-11Изменено: 2023-11-07

CVSS 3.xВЫСОКАЯ 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Ссылки

Обновление пакета traefik в ветке p10

Закрытые проблемы (12)

Уязвимость обратного прокси сервера Containous Traefik, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Traefik docker container using 100% CPU

Traefik vulnerable to potential DDoS via ACME HTTPChallenge

Traefik incorrectly processes fragment in the URL, leads to Authorization Bypass

gRPC-Go HTTP/2 Rapid Reset vulnerability

HTTP/2 Stream Cancellation Attack

io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset Attack