We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-45410

HTTP client can remove the X-Forwarded headers in Traefik



Description

Traefik is a golang, Cloud Native Application Proxy. When a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added by Traefik before the request is routed to the application. For a HTTP client, it should not be possible to remove or modify these headers. Since the application trusts the value of these headers, security implications might arise, if they can be modified. For HTTP/1.1, however, it was found that some of theses custom headers can indeed be removed and in certain cases manipulated. The attack relies on the HTTP/1.1 behavior, that headers can be defined as hop-by-hop via the HTTP Connection header. This issue has been addressed in release versions 2.11.9 and 3.1.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Reserved 2024-08-28 | Published 2024-09-19 | Updated 2024-09-20 | Assigner GitHub_M


CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-345: Insufficient Verification of Data Authenticity

CWE-348: Use of Less Trusted Source

Product status

< 2.11.9
affected

>= 3.0.0, < 3.1.3
affected

References

github.com/...raefik/security/advisories/GHSA-62c8-mh53-4cqv

github.com/traefik/traefik/releases/tag/v2.11.9

github.com/traefik/traefik/releases/tag/v3.1.3

cve.org (CVE-2024-45410)

nvd.nist.gov (CVE-2024-45410)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-45410

Support options

Helpdesk Chat, Email, Knowledgebase
Telegram Chat
Subscribe to our newsletter to learn more about our work.