Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/traefik/traefik: GHSA-62c8-mh53-4cqv #3135

Closed
GoVulnBot opened this issue Sep 19, 2024 · 2 comments
Closed

x/vulndb: potential Go vuln in github.com/traefik/traefik: GHSA-62c8-mh53-4cqv #3135

GoVulnBot opened this issue Sep 19, 2024 · 2 comments
Labels
triaged

Comments

@GoVulnBot
Copy link

Advisory GHSA-62c8-mh53-4cqv references a vulnerability in the following Go modules:

Module
github.com/traefik/traefik
github.com/traefik/traefik/v2
github.com/traefik/traefik/v3

Description:

Impact

There is a vulnerability in Traefik that allows the client to remove the X-Forwarded headers (except the header X-Forwarded-For).

Patches

Workarounds

No workaround.

For more information

If you have any questions or comments about this advisory, please open an issue.

Original Description ### Summary

When a HTTP request is processed by Traefik, certain HTTP headers such as X-For...

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/traefik/traefik
      vulnerable_at: 1.7.34
    - module: github.com/traefik/traefik/v2
      versions:
        - fixed: 2.11.9
      vulnerable_at: 2.11.8
    - module: github.com/traefik/traefik/v3
      versions:
        - introduced: 3.0.0-beta3
        - fixed: 3.1.3
      vulnerable_at: 3.1.2
summary: HTTP client can manipulate custom HTTP headers that are added by Traefik in github.com/traefik/traefik
cves:
    - CVE-2024-45410
ghsas:
    - GHSA-62c8-mh53-4cqv
references:
    - advisory: https://github.com/advisories/GHSA-62c8-mh53-4cqv
    - advisory: https://github.com/traefik/traefik/security/advisories/GHSA-62c8-mh53-4cqv
    - fix: https://github.com/traefik/traefik/commit/584144100524277829f26219baaab29a53b8134f
    - web: https://github.com/traefik/traefik/releases/tag/v2.11.9
    - web: https://github.com/traefik/traefik/releases/tag/v3.1.3
source:
    id: GHSA-62c8-mh53-4cqv
    created: 2024-09-19T15:01:24.156110971Z
review_status: UNREVIEWED
@zpavlinovic zpavlinovic mentioned this issue Sep 20, 2024
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/616059 mentions this issue: data/reports: add 13 unreviewed reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/616060 mentions this issue: data/reports: add 11 unreviewed reports

@GoVulnBot GoVulnBot mentioned this issue Nov 29, 2024
Closed
@GoVulnBot GoVulnBot mentioned this issue Dec 17, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zpavlinovic @gopherbot @GoVulnBot