Traefik HTTP/2 connections management could cause a denial of service
CVE-2022-39271

7.5HIGH

Key Information:

Vendor: Traefik
Status: Traefik
Vendor: CVE Published:; 11 October 2022

What is CVE-2022-39271?

Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer that assists in deploying microservices. There is a potential vulnerability in Traefik managing HTTP/2 connections. A closing HTTP/2 server connection could hang forever because of a subsequent fatal error. This failure mode could be exploited to cause a denial of service. There has been a patch released in versions 2.8.8 and 2.9.0-rc5. There are currently no known workarounds.

Affected Version(s)

traefik < 2.8.8 < 2.8.8

traefik >= 2.9.0-rc1, < 2.9.0-rc5 < 2.9.0-rc1, 2.9.0-rc5

References

https://github.com/traefik/traefik/security/advisories/GH...

https://github.com/traefik/traefik/releases/tag/v2.8.8

https://github.com/traefik/traefik/releases/tag/v2.9.0-rc5

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 11, 2022
Vulnerability Reserved
Sep 2, 2022