Description

Traefik is a golang, Cloud Native Application Proxy. When a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added by Traefik before the request is routed to the application. For a HTTP client, it should not be possible to remove or modify these headers. Since the application trusts the value of these headers, security implications might arise, if they can be modified. For HTTP/1.1, however, it was found that some of theses custom headers can indeed be removed and in certain cases manipulated. The attack relies on the HTTP/1.1 behavior, that headers can be defined as hop-by-hop via the HTTP Connection header. This issue has been addressed in release versions 2.11.9 and 3.1.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

INFO

Published Date :

2024-09-19T22:51:02.622Z

Last Modified :

2024-09-20T14:59:42.914Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-45410 vulnerability.

Vendors Products
Redhat
  • Openshift Devspaces
Traefik
  • Traefik
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-45410.

URL Resource
https://github.com/traefik/traefik cve-icon
https://github.com/traefik/traefik/commit/584144100524277829f26219baaab29a53b8134f cve-icon
https://github.com/traefik/traefik/releases/tag/v2.11.9 cve-icon cve-icon cve-icon
https://github.com/traefik/traefik/releases/tag/v3.1.3 cve-icon cve-icon cve-icon
https://github.com/traefik/traefik/security/advisories/GHSA-62c8-mh53-4cqv cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2024-45410 cve-icon
https://www.cve.org/CVERecord?id=CVE-2024-45410 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact