CVE-2022-39271 - OpenCVE

Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer that assists in deploying microservices. There is a potential vulnerability in Traefik managing HTTP/2 connections. A closing HTTP/2 server connection could hang forever because of a subsequent fatal error. This failure mode could be exploited to cause a denial of service. There has been a patch released in versions 2.8.8 and 2.9.0-rc5. There are currently no known workarounds.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Traefik	Traefik

Configuration 1 [-]

OR	cpe:2.3:a:traefik:traefik::::::::
	cpe:2.3:a:traefik:traefik:2.9.0:rc1::::::
	cpe:2.3:a:traefik:traefik:2.9.0:rc2::::::
	cpe:2.3:a:traefik:traefik:2.9.0:rc3::::::
	cpe:2.3:a:traefik:traefik:2.9.0:rc4::::::

No data.

References

Link	Providers
https://github.com/traefik/traefik/releases/tag/v2.8.8
https://github.com/traefik/traefik/releases/tag/v2.9.0-rc5
https://github.com/traefik/traefik/security/advisories/GHSA-c6hx-pjc3-7fqr

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-10-11T00:00:00

Updated: 2024-08-03T12:00:43.598Z

Reserved: 2022-09-02T00:00:00

Link: CVE-2022-39271

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-10-11T14:15:09.883

Modified: 2023-07-14T18:17:00.723

Link: CVE-2022-39271

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-39271", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2024-08-03T12:00:43.598Z", "dateReserved": "2022-09-02T00:00:00", "datePublished": "2022-10-11T00:00:00"}, "containers": {"cna": {"title": "Traefik HTTP/2 connections management could cause a denial of service", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-10-11T00:00:00"}, "descriptions": [{"lang": "en", "value": "Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer that assists in deploying microservices. There is a potential vulnerability in Traefik managing HTTP/2 connections. A closing HTTP/2 server connection could hang forever because of a subsequent fatal error. This failure mode could be exploited to cause a denial of service. There has been a patch released in versions 2.8.8 and 2.9.0-rc5. There are currently no known workarounds."}], "affected": [{"vendor": "traefik", "product": "traefik", "versions": [{"version": " < 2.8.8", "status": "affected"}, {"version": ">= 2.9.0-rc1, < 2.9.0-rc5", "status": "affected"}]}], "references": [{"url": "https://github.com/traefik/traefik/security/advisories/GHSA-c6hx-pjc3-7fqr"}, {"url": "https://github.com/traefik/traefik/releases/tag/v2.8.8"}, {"url": "https://github.com/traefik/traefik/releases/tag/v2.9.0-rc5"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "cweId": "CWE-400"}]}], "source": {"advisory": "GHSA-c6hx-pjc3-7fqr", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:43.598Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/traefik/traefik/security/advisories/GHSA-c6hx-pjc3-7fqr", "tags": ["x_transferred"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v2.8.8", "tags": ["x_transferred"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v2.9.0-rc5", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*", "matchCriteriaId": "BC4B4129-B55E-49A3-AC70-58189BF6F4E9", "versionEndExcluding": "2.8.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:traefik:traefik:2.9.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "FCCE16AF-C4D4-4214-BD57-5F45CA12B84B", "vulnerable": true}, {"criteria": "cpe:2.3:a:traefik:traefik:2.9.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "B462AF00-590B-400C-B219-685BBC1E16AB", "vulnerable": true}, {"criteria": "cpe:2.3:a:traefik:traefik:2.9.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "45A346C6-2494-4C72-A606-746554E933B5", "vulnerable": true}, {"criteria": "cpe:2.3:a:traefik:traefik:2.9.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "BD36BBFB-A14F-4B93-95B6-83FC5C67F4B9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer that assists in deploying microservices. There is a potential vulnerability in Traefik managing HTTP/2 connections. A closing HTTP/2 server connection could hang forever because of a subsequent fatal error. This failure mode could be exploited to cause a denial of service. There has been a patch released in versions 2.8.8 and 2.9.0-rc5. There are currently no known workarounds."}, {"lang": "es", "value": "Traefik (pronunciado tr\u00e1fico) es un moderno proxy inverso HTTP y equilibrador de carga que ayuda a desplegar microservicios. Se presenta una vulnerabilidad potencial en Traefik al administrar las conexiones HTTP/2. Una conexi\u00f3n de servidor HTTP/2 que es cerrada podr\u00eda colgarse para siempre debido a un error fatal posterior. Este modo de fallo podr\u00eda ser explotado para causar una denegaci\u00f3n de servicio. Ha sido publicado un parche en versiones 2.8.8 y 2.9.0-rc5. Actualmente no se presentan mitigaciones conocidas"}], "id": "CVE-2022-39271", "lastModified": "2023-07-14T18:17:00.723", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-10-11T14:15:09.883", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/traefik/traefik/releases/tag/v2.8.8"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/traefik/traefik/releases/tag/v2.9.0-rc5"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/traefik/traefik/security/advisories/GHSA-c6hx-pjc3-7fqr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-755"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}]}