CVE-2024-28869

moderate-risk
Published 2024-04-12

Traefik is an HTTP reverse proxy and load balancer. In affected versions sending a GET request to any Traefik endpoint with the "Content-length" request header results in an indefinite hang with the default configuration. This vulnerability can be exploited by attackers to induce a denial of service. This vulnerability has been addressed in version 2.11.2 and 3.0.0-rc5. Users are advised to upgrade. For affected versions, this vulnerability can be mitigated by configuring the readTimeout option.

Do I need to act?

-
0.75% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (11)

Affected Vendors

Traefik

References (10)

Product https://doc.traefik.io/traefik/routing/entrypoints/#respondingtimeouts
Patch https://github.com/traefik/traefik/commit/240b83b77351dfd8cadb91c305b84e9d22e0f9...
Release Notes https://github.com/traefik/traefik/releases/tag/v2.11.2
Release Notes https://github.com/traefik/traefik/releases/tag/v3.0.0-rc5
Patch https://github.com/traefik/traefik/security/advisories/GHSA-4vwx-54mw-vqfw
Product https://doc.traefik.io/traefik/routing/entrypoints/#respondingtimeouts
Patch https://github.com/traefik/traefik/commit/240b83b77351dfd8cadb91c305b84e9d22e0f9...
Release Notes https://github.com/traefik/traefik/releases/tag/v2.11.2
Release Notes https://github.com/traefik/traefik/releases/tag/v3.0.0-rc5
Patch https://github.com/traefik/traefik/security/advisories/GHSA-4vwx-54mw-vqfw
45
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 3/34 · Minimal
Exposure 16/34 · Moderate