CVE-2023-29013 - OpenCVE

Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer for deploying microservices. There is a vulnerability in Go when parsing the HTTP headers, which impacts Traefik. HTTP header parsing could allocate substantially more memory than required to hold the parsed headers. This behavior could be exploited to cause a denial of service. This issue has been patched in versions 2.9.10 and 2.10.0-rc2.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Traefik	Traefik

Configuration 1 [-]

OR	cpe:2.3:a:traefik:traefik::::::::
	cpe:2.3:a:traefik:traefik:2.10.0:rc1::::::

No data.

References

Link	Providers
https://github.com/traefik/traefik/commit/4ed3964b3586565519249bbdc55eb1b961c08c49
https://github.com/traefik/traefik/releases/tag/v2.10.0-rc2
https://github.com/traefik/traefik/releases/tag/v2.9.10
https://github.com/traefik/traefik/security/advisories/GHSA-7hj9-rv74-5g92
https://security.netapp.com/advisory/ntap-20230517-0008/

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-04-14T18:15:12.622Z

Updated: 2024-08-02T14:00:14.348Z

Reserved: 2023-03-29T17:39:16.143Z

Link: CVE-2023-29013

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-04-14T19:15:09.127

Modified: 2023-05-26T15:01:44.387

Link: CVE-2023-29013

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-29013", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-03-29T17:39:16.143Z", "datePublished": "2023-04-14T18:15:12.622Z", "dateUpdated": "2024-08-02T14:00:14.348Z"}, "containers": {"cna": {"title": "HTTP header parsing could cause a deny of service ", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/traefik/traefik/security/advisories/GHSA-7hj9-rv74-5g92", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/traefik/traefik/security/advisories/GHSA-7hj9-rv74-5g92"}, {"name": "https://github.com/traefik/traefik/commit/4ed3964b3586565519249bbdc55eb1b961c08c49", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/commit/4ed3964b3586565519249bbdc55eb1b961c08c49"}, {"name": "https://github.com/traefik/traefik/releases/tag/v2.10.0-rc2", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v2.10.0-rc2"}, {"name": "https://github.com/traefik/traefik/releases/tag/v2.9.10", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v2.9.10"}, {"url": "https://security.netapp.com/advisory/ntap-20230517-0008/"}], "affected": [{"vendor": "traefik", "product": "traefik", "versions": [{"version": "< 2.9.10", "status": "affected"}, {"version": "= 2.10.0-rc1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-04-14T18:15:12.622Z"}, "descriptions": [{"lang": "en", "value": "Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer for deploying microservices. There is a vulnerability in Go when parsing the HTTP headers, which impacts Traefik. HTTP header parsing could allocate substantially more memory than required to hold the parsed headers. This behavior could be exploited to cause a denial of service. This issue has been patched in versions 2.9.10 and 2.10.0-rc2.\n"}], "source": {"advisory": "GHSA-7hj9-rv74-5g92", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:00:14.348Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/traefik/traefik/security/advisories/GHSA-7hj9-rv74-5g92", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/traefik/traefik/security/advisories/GHSA-7hj9-rv74-5g92"}, {"name": "https://github.com/traefik/traefik/commit/4ed3964b3586565519249bbdc55eb1b961c08c49", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/traefik/traefik/commit/4ed3964b3586565519249bbdc55eb1b961c08c49"}, {"name": "https://github.com/traefik/traefik/releases/tag/v2.10.0-rc2", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/traefik/traefik/releases/tag/v2.10.0-rc2"}, {"name": "https://github.com/traefik/traefik/releases/tag/v2.9.10", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/traefik/traefik/releases/tag/v2.9.10"}, {"url": "https://security.netapp.com/advisory/ntap-20230517-0008/", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*", "matchCriteriaId": "D38F7D80-DDA8-421D-9C97-C3F53BA1F096", "versionEndExcluding": "2.9.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:traefik:traefik:2.10.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "748FFA04-66D8-4821-B6F3-38BBE07490FD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer for deploying microservices. There is a vulnerability in Go when parsing the HTTP headers, which impacts Traefik. HTTP header parsing could allocate substantially more memory than required to hold the parsed headers. This behavior could be exploited to cause a denial of service. This issue has been patched in versions 2.9.10 and 2.10.0-rc2.\n"}], "id": "CVE-2023-29013", "lastModified": "2023-05-26T15:01:44.387", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-04-14T19:15:09.127", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/traefik/traefik/commit/4ed3964b3586565519249bbdc55eb1b961c08c49"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/traefik/traefik/releases/tag/v2.10.0-rc2"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/traefik/traefik/releases/tag/v2.9.10"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/traefik/traefik/security/advisories/GHSA-7hj9-rv74-5g92"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20230517-0008/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Secondary"}]}