Denial of service whith ACME HTTPChallenge in Traefik
CVE-2023-47124

5.9MEDIUM

Key Information:

Vendor

Traefik

Status
Traefik
Vendor
CVE Published:
4 December 2023

What is CVE-2023-47124?

Traefik is an open source HTTP reverse proxy and load balancer. When Traefik is configured to use the HTTPChallenge to generate and renew the Let's Encrypt TLS certificates, the delay authorized to solve the challenge (50 seconds) can be exploited by attackers to achieve a slowloris attack. This vulnerability has been patch in version 2.10.6 and 3.0.0-beta5. Users are advised to upgrade. Users unable to upgrade should replace the HTTPChallenge with the TLSChallenge or the DNSChallenge.

Affected Version(s)

traefik < 2.10.6 < 2.10.6

traefik >= 3.0.0-beta1, < 3.0.0-beta5 < 3.0.0-beta1, 3.0.0-beta5

References

https://github.com/traefik/traefik/security/advisories/GH...
x_refsource_CONFIRM
https://doc.traefik.io/traefik/https/acme/#dnschallenge
x_refsource_MISC
https://doc.traefik.io/traefik/https/acme/#httpchallenge
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2023-47124 : Denial of service whith ACME HTTPChallenge in Traefik