​
DirectorySecurity Advisories
Sign In
Security Advisories

CGA-wgv8-rh95-48wv

Published

Last updated

https://images.chainguard.dev/security/CGA-wgv8-rh95-48wv
Package

traefik

Latest Update
Fixed
Fixed Version

2.11.2-r0

Aliases
  • CVE-2024-28869
  • GHSA-4vwx-54mw-vqfw

Severity

7.5

High

CVSS V3

Summary

Traefik vulnerable to denial of service with Content-length header

Description

There is a potential vulnerability in Traefik managing requests with Content-length and no body .

Sending a GET request to any Traefik endpoint with the Content-length request header results in an indefinite hang with the default configuration. This vulnerability can be exploited by attackers to induce a denial of service.

Patches

  • https://github.com/traefik/traefik/releases/tag/v2.11.2
  • https://github.com/traefik/traefik/releases/tag/v3.0.0-rc5

Workarounds

For affected versions, this vulnerability can be mitigated by configuring the readTimeout option.

For more information

If you have any questions or comments about this advisory, please open an issue.

References

Updates


Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2024 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard Images