Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/traefik/traefik/v2: GHSA-7hj9-rv74-5g92 #1715

Closed
GoVulnBot opened this issue Apr 11, 2023 · 2 comments
Closed

x/vulndb: potential Go vuln in github.com/traefik/traefik/v2: GHSA-7hj9-rv74-5g92 #1715

GoVulnBot opened this issue Apr 11, 2023 · 2 comments
Assignees
@timothy-king
Labels
excluded: DEPENDENT_VULNERABILITY This vulnerability is downstream of another existing vulnerability report.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-7hj9-rv74-5g92, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/traefik/traefik/v2 2.10.0-rc2 = 2.10.0-rc1

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/traefik/traefik/v2
    versions:
      - introduced: TODO (earliest fixed "2.10.0-rc2", vuln range "= 2.10.0-rc1")
    packages:
      - package: github.com/traefik/traefik/v2
  - module: github.com/traefik/traefik/v2
    versions:
      - fixed: 2.9.10
    packages:
      - package: github.com/traefik/traefik/v2
summary: 'Traefik HTTP header parsing could cause a denial of service '
description: |
    ### Impact

    There is a vulnerability in [Go when parsing the HTTP headers](https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8/m/OV40vnafAwAJ), which impacts Traefik.
    HTTP header parsing could allocate substantially more memory than required to hold the parsed headers. This behavior could be exploited to cause a denial of service.

    ### References

    - [CVE-2023-24534](https://www.cve.org/CVERecord?id=CVE-2023-24534)

    ### Patches
    - https://github.com/traefik/traefik/releases/tag/v2.9.10
    - https://github.com/traefik/traefik/releases/tag/v2.10.0-rc2

    ### Workarounds

    No workaround.

    ### For more information

    If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).
cves:
  - CVE-2023-29013
ghsas:
  - GHSA-7hj9-rv74-5g92
references:
  - advisory: https://github.com/traefik/traefik/security/advisories/GHSA-7hj9-rv74-5g92
  - fix: https://github.com/traefik/traefik/commit/4ed3964b3586565519249bbdc55eb1b961c08c49
  - advisory: https://github.com/advisories/GHSA-8v5j-pwr7-w5f8
  - web: https://github.com/traefik/traefik/releases/tag/v2.10.0-rc2
  - web: https://github.com/traefik/traefik/releases/tag/v2.9.10
  - web: https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8/m/OV40vnafAwAJ
  - advisory: https://github.com/advisories/GHSA-7hj9-rv74-5g92
@timothy-king timothy-king self-assigned this Apr 11, 2023
@timothy-king timothy-king added the excluded: DEPENDENT_VULNERABILITY This vulnerability is downstream of another existing vulnerability report. label Apr 11, 2023
@timothy-king
Copy link
Contributor

CVE-2023-24534 is #1704.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/483776 mentions this issue: data/excluded: batch add GO-2023-1715, GO-2023-1714, GO-2023-1707

@GoVulnBot GoVulnBot mentioned this issue Apr 14, 2023
Closed
@GoVulnBot GoVulnBot mentioned this issue Jun 20, 2024
Closed
@GoVulnBot GoVulnBot mentioned this issue Sep 19, 2024
Closed
@GoVulnBot GoVulnBot mentioned this issue Dec 17, 2024
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@timothy-king timothy-king

Labels
excluded: DEPENDENT_VULNERABILITY This vulnerability is downstream of another existing vulnerability report.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@timothy-king @gopherbot @GoVulnBot