CVE-2022-39271

Name

CVE-2022-39271

Description

Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer that assists in deploying microservices. There is a potential vulnerability in Traefik managing HTTP/2 connections. A closing HTTP/2 server connection could hang forever because of a subsequent fatal error. This failure mode could be exploited to cause a denial of service. There has been a patch released in versions 2.8.8 and 2.9.0-rc5. There are currently no known workarounds.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://github.com/traefik/traefik/releases/tag/v2.8.8
CONFIRM	https://github.com/traefik/traefik/security/advisories/GHSA-c6hx-pjc3-7fqr
MISC	https://github.com/traefik/traefik/releases/tag/v2.9.0-rc5

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:traefik:traefik::::::::`	traefik	>= None	< 2.8.8
`cpe:2.3:a:traefik:traefik:2.9.0:rc1::::::`	traefik	== None	== 2.9.0

Source package	Branch	Version	Maintainer	Status
traefik	edge-community	2.2.8-r0	None	possibly vulnerable
traefik	3.22-community	2.2.8-r0	None	possibly vulnerable

References

Match rules

Vulnerable and fixed packages