rpm package
opensuse/traefik&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/traefik&distro=openSUSE%20Tumbleweed
Vulnerabilities (52)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-58181 | — | < 3.6.7-1.1 | 3.6.7-1.1 | Nov 19, 2025 | SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. | ||
| CVE-2025-47952 | — | < 3.4.3-1.1 | 3.4.3-1.1 | May 30, 2025 | Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Prior to versions 2.11.25 and 3.4.1, there is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a b | ||
| CVE-2025-22872 | Med | 6.5 | < 3.4.3-1.1 | 3.4.3-1.1 | Apr 16, 2025 | The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul | |
| CVE-2025-30204 | Hig | 7.5 | < 3.5.0-1.1 | 3.5.0-1.1 | Mar 21, 2025 | golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a maliciou | |
| CVE-2025-22868 | — | < 3.4.3-1.1 | 3.4.3-1.1 | Feb 26, 2025 | An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. | ||
| CVE-2025-22869 | — | < 3.4.3-1.1 | 3.4.3-1.1 | Feb 26, 2025 | SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted. | ||
| CVE-2025-27144 | Med | — | < 3.4.3-1.1 | 3.4.3-1.1 | Feb 24, 2025 | Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when par | |
| CVE-2024-45338 | Med | 5.3 | < 3.4.3-1.1 | 3.4.3-1.1 | Dec 18, 2024 | An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service. | |
| CVE-2024-45337 | Cri | 9.1 | < 3.2.3-1.1 | 3.2.3-1.1 | Dec 12, 2024 | Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that | |
| CVE-2024-51744 | Low | 3.1 | < 3.2.1-1.1 | 3.2.1-1.1 | Nov 4, 2024 | golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors r | |
| CVE-2024-45410 | — | < 3.1.4-1.1 | 3.1.4-1.1 | Sep 19, 2024 | Traefik is a golang, Cloud Native Application Proxy. When a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added by Traefik before the request is routed to the application. For a HTTP client, it should not be possible t | ||
| CVE-2024-39321 | — | < 3.0.4-2.1 | 3.0.4-2.1 | Jul 5, 2024 | Traefik is an HTTP reverse proxy and load balancer. Versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3 have a vulnerability that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. Versions 2.11.6, 3.0.4, and 3.1.0-r | ||
| CVE-2024-6104 | — | < 3.1.2-1.1 | 3.1.2-1.1 | Jun 24, 2024 | go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7. | ||
| CVE-2024-4533 | — | < 3.4.3-1.1 | 3.4.3-1.1 | May 27, 2024 | The KKProgressbar2 Free WordPress plugin through 1.1.4.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admin users to perform SQL injection attacks | ||
| CVE-2024-4068 | — | < 3.1.2-1.1 | 3.1.2-1.1 | May 13, 2024 | The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program | ||
| CVE-2024-24788 | Med | 5.9 | < 3.0.1-1.1 | 3.0.1-1.1 | May 8, 2024 | A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop. | |
| CVE-2024-28869 | — | < 2.11.2-1.1 | 2.11.2-1.1 | Apr 12, 2024 | Traefik is an HTTP reverse proxy and load balancer. In affected versions sending a GET request to any Traefik endpoint with the "Content-length" request header results in an indefinite hang with the default configuration. This vulnerability can be exploited by attackers to induce | ||
| CVE-2023-45288 | Hig | 7.5 | < 2.11.2-1.1 | 2.11.2-1.1 | Apr 4, 2024 | An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma | |
| CVE-2024-28180 | — | < 3.5.1-1.1 | 3.5.1-1.1 | Mar 9, 2024 | Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now ret | ||
| CVE-2023-47633 | — | < 2.10.7-1.1 | 2.10.7-1.1 | Dec 4, 2023 | Traefik is an open source HTTP reverse proxy and load balancer. The traefik docker container uses 100% CPU when it serves as its own backend, which is an automatically generated route resulting from the Docker integration in the default configuration. This issue has been addresse |
- CVE-2025-58181Nov 19, 2025affected < 3.6.7-1.1fixed 3.6.7-1.1
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
- CVE-2025-47952May 30, 2025affected < 3.4.3-1.1fixed 3.4.3-1.1
Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Prior to versions 2.11.25 and 3.4.1, there is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a b
- affected < 3.4.3-1.1fixed 3.4.3-1.1
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul
- affected < 3.5.0-1.1fixed 3.5.0-1.1
golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a maliciou
- CVE-2025-22868Feb 26, 2025affected < 3.4.3-1.1fixed 3.4.3-1.1
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
- CVE-2025-22869Feb 26, 2025affected < 3.4.3-1.1fixed 3.4.3-1.1
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
- affected < 3.4.3-1.1fixed 3.4.3-1.1
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when par
- affected < 3.4.3-1.1fixed 3.4.3-1.1
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
- affected < 3.2.3-1.1fixed 3.2.3-1.1
Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that
- affected < 3.2.1-1.1fixed 3.2.1-1.1
golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors r
- CVE-2024-45410Sep 19, 2024affected < 3.1.4-1.1fixed 3.1.4-1.1
Traefik is a golang, Cloud Native Application Proxy. When a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added by Traefik before the request is routed to the application. For a HTTP client, it should not be possible t
- CVE-2024-39321Jul 5, 2024affected < 3.0.4-2.1fixed 3.0.4-2.1
Traefik is an HTTP reverse proxy and load balancer. Versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3 have a vulnerability that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. Versions 2.11.6, 3.0.4, and 3.1.0-r
- CVE-2024-6104Jun 24, 2024affected < 3.1.2-1.1fixed 3.1.2-1.1
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.
- CVE-2024-4533May 27, 2024affected < 3.4.3-1.1fixed 3.4.3-1.1
The KKProgressbar2 Free WordPress plugin through 1.1.4.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admin users to perform SQL injection attacks
- CVE-2024-4068May 13, 2024affected < 3.1.2-1.1fixed 3.1.2-1.1
The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program
- affected < 3.0.1-1.1fixed 3.0.1-1.1
A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.
- CVE-2024-28869Apr 12, 2024affected < 2.11.2-1.1fixed 2.11.2-1.1
Traefik is an HTTP reverse proxy and load balancer. In affected versions sending a GET request to any Traefik endpoint with the "Content-length" request header results in an indefinite hang with the default configuration. This vulnerability can be exploited by attackers to induce
- affected < 2.11.2-1.1fixed 2.11.2-1.1
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma
- CVE-2024-28180Mar 9, 2024affected < 3.5.1-1.1fixed 3.5.1-1.1
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now ret
- CVE-2023-47633Dec 4, 2023affected < 2.10.7-1.1fixed 2.10.7-1.1
Traefik is an open source HTTP reverse proxy and load balancer. The traefik docker container uses 100% CPU when it serves as its own backend, which is an automatically generated route resulting from the Docker integration in the default configuration. This issue has been addresse
Page 2 of 3