Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2024-45410 #3143

Closed
GoVulnBot opened this issue Sep 20, 2024 · 1 comment
Closed

Comments

@GoVulnBot
Copy link

Advisory CVE-2024-45410 references a vulnerability in the following Go modules:

Module
github.com/traefik/traefik

Description:
Traefik is a golang, Cloud Native Application Proxy. When a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added by Traefik before the request is routed to the application. For a HTTP client, it should not be possible to remove or modify these headers. Since the application trusts the value of these headers, security implications might arise, if they can be modified. For HTTP/1.1, however, it was found that some of theses custom headers can indeed be removed and in certain cases manipulated. The attack relies on the HTTP/1.1 behavior...

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/traefik/traefik
      vulnerable_at: 1.7.34
summary: CVE-2024-45410 in github.com/traefik/traefik
cves:
    - CVE-2024-45410
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-45410
    - web: https://github.com/traefik/traefik/releases/tag/v2.11.9
    - web: https://github.com/traefik/traefik/releases/tag/v3.1.3
    - web: https://github.com/traefik/traefik/security/advisories/GHSA-62c8-mh53-4cqv
source:
    id: CVE-2024-45410
    created: 2024-09-20T00:01:24.19387078Z
review_status: UNREVIEWED

@zpavlinovic
Copy link
Contributor

Duplicate of #3135

@zpavlinovic zpavlinovic marked this as a duplicate of #3135 Sep 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants