x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2024-52003

[GoVulnBot]

Advisory CVE-2024-52003 references a vulnerability in the following Go modules:

Module
github.com/traefik/traefik

Description:
Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. There is a vulnerability in Traefik that allows the client to provide the X-Forwarded-Prefix header from an untrusted source. This issue has been addressed in versions 2.11.14 and 3.2.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References:

• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-52003
• FIX: Drop untrusted X-Forwarded-Prefix header traefik/traefik#11253
• WEB: https://github.com/traefik/traefik/releases/tag/v2.11.14
• WEB: https://github.com/traefik/traefik/releases/tag/v3.2.1
• WEB: GHSA-h924-8g65-j9wg

Cross references:

• github.com/traefik/traefik appears in 18 other report(s):
  • data/excluded/GO-2023-2117.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: GHSA-7v4p-328v-8v5g #2117) DEPENDENT_VULNERABILITY
  • data/reports/GO-2022-0325.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2022-23632 #325)
  • data/reports/GO-2022-0808.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: GHSA-7h6j-2268-fhcm #808)
  • data/reports/GO-2022-0923.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2021-32813, GHSA-m697-4v8f-55qg #923)
  • data/reports/GO-2022-1152.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v2: GHSA-468w-8x39-gj5v #1152)
  • data/reports/GO-2022-1154.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v2: GHSA-h2ph-vhm7-g4hp #1154)
  • data/reports/GO-2023-1919.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v3: GHSA-r3fq-cmmw-cpmm #1919)
  • data/reports/GO-2023-1950.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v3: GHSA-2cjc-rgmp-x649 #1950)
  • data/reports/GO-2023-2376.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2023-47106 #2376)
  • data/reports/GO-2023-2377.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2023-47633 #2377)
  • data/reports/GO-2023-2381.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v3: GHSA-8g85-whqh-cr2f #2381)
  • data/reports/GO-2024-2722.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: GHSA-4vwx-54mw-vqfw #2722)
  • data/reports/GO-2024-2726.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v3: GHSA-7f4j-64p6-5h5v #2726)
  • data/reports/GO-2024-2880.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: GHSA-f7cq-5v43-8pwp #2880)
  • data/reports/GO-2024-2917.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: GHSA-7jmw-8259-q9jx #2917)
  • data/reports/GO-2024-2941.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v2: GHSA-rvj4-q8q5-8grf #2941)
  • data/reports/GO-2024-2973.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2024-39321 #2973)
  • data/reports/GO-2024-3135.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: GHSA-62c8-mh53-4cqv #3135)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/traefik/traefik
      vulnerable_at: 1.7.34
summary: CVE-2024-52003 in github.com/traefik/traefik
cves:
    - CVE-2024-52003
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-52003
    - fix: https://github.com/traefik/traefik/pull/11253
    - web: https://github.com/traefik/traefik/releases/tag/v2.11.14
    - web: https://github.com/traefik/traefik/releases/tag/v3.2.1
    - web: https://github.com/traefik/traefik/security/advisories/GHSA-h924-8g65-j9wg
source:
    id: CVE-2024-52003
    created: 2024-11-29T20:01:23.660916872Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/632976 mentions this issue: data/reports: add 5 unreviewed reports