CVE-2024-28869

Name
CVE-2024-28869
Description
Traefik is an HTTP reverse proxy and load balancer. In affected versions sending a GET request to any Traefik endpoint with the "Content-length" request header results in an indefinite hang with the default configuration. This vulnerability can be exploited by attackers to induce a denial of service. This vulnerability has been addressed in version 2.11.2 and 3.0.0-rc5. Users are advised to upgrade. For affected versions, this vulnerability can be mitigated by configuring the readTimeout option.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://doc.traefik.io/traefik/routing/entrypoints/#respondingtimeouts
MISC https://github.com/traefik/traefik/commit/240b83b77351dfd8cadb91c305b84e9d22e0f9c6
MISC https://github.com/traefik/traefik/releases/tag/v2.11.2
MISC https://github.com/traefik/traefik/releases/tag/v3.0.0-rc5
CONFIRM https://github.com/traefik/traefik/security/advisories/GHSA-4vwx-54mw-vqfw

Match rules

CPE URI Source package Min version Max version
traefik >= 0 < 2.11.2
traefik >= 3.0.0-rc1 < 3.0.0-rc5
cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:* traefik >= 0 < 2.11.2
cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:* traefik >= 0 <= 3.0.0-rc3

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
traefik 3.20-community 3.0.0-r3 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable