CVE-2024-45410

moderate-risk
Published 2024-09-19

Traefik is a golang, Cloud Native Application Proxy. When a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added by Traefik before the request is routed to the application. For a HTTP client, it should not be possible to remove or modify these headers. Since the application trusts the value of these headers, security implications might arise, if they can be modified. For HTTP/1.1, however, it was found that some of theses custom headers can indeed be removed and in certain cases manipulated. The attack relies on the HTTP/1.1 behavior, that headers can be defined as hop-by-hop via the HTTP Connection header. This issue has been addressed in release versions 2.11.9 and 3.1.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Do I need to act?

!
13.9% chance of exploitation in next 30 days
EPSS score — higher than 86% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Traefik

References (3)

Release Notes https://github.com/traefik/traefik/releases/tag/v2.11.9
Release Notes https://github.com/traefik/traefik/releases/tag/v3.1.3
Vendor Advisory https://github.com/traefik/traefik/security/advisories/GHSA-62c8-mh53-4cqv
49
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 12/34 · Low
Exposure 5/34 · Minimal