VYPR

rpm package

opensuse/traefik&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/traefik&distro=openSUSE%20Tumbleweed

Vulnerabilities (55)

  • CVE-2026-22045Jan 15, 2026
    affected < 3.6.7-1.1fixed 3.6.7-1.1

    Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors inde

  • CVE-2025-66491Dec 9, 2025
    affected < 3.6.6-1.1fixed 3.6.6-1.1

    Traefik is an HTTP reverse proxy and load balancer. Versions 3.5.0 through 3.6.2 have inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to "on" (intending to enable backend TLS certificate verification) actually

  • CVE-2025-66490Dec 9, 2025
    affected < 3.6.6-1.1fixed 3.6.6-1.1

    Traefik is an HTTP reverse proxy and load balancer. For versions prior to 2.11.32 and 2.11.31 through 3.6.2, requests using PathPrefix, Path or PathRegex matchers can bypass path normalization. When Traefik uses path-based routing, requests containing URL-encoded restricted chara

  • CVE-2025-58181MedNov 19, 2025
    affected < 3.6.7-1.1fixed 3.6.7-1.1

    SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

  • CVE-2025-47952CriMay 30, 2025
    affected < 3.4.3-1.1fixed 3.4.3-1.1

    Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Prior to versions 2.11.25 and 3.4.1, there is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a b

  • CVE-2025-22872MedApr 16, 2025
    affected < 3.4.3-1.1fixed 3.4.3-1.1

    The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul

  • CVE-2025-30204HigMar 21, 2025
    affected < 3.5.0-1.1fixed 3.5.0-1.1

    golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a maliciou

  • CVE-2025-22869HigFeb 26, 2025
    affected < 3.4.3-1.1fixed 3.4.3-1.1

    SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

  • CVE-2025-22868HigFeb 26, 2025
    affected < 3.4.3-1.1fixed 3.4.3-1.1

    An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

  • CVE-2025-27144MedFeb 24, 2025
    affected < 3.4.3-1.1fixed 3.4.3-1.1

    Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when par

  • CVE-2024-45338MedDec 18, 2024
    affected < 3.4.3-1.1fixed 3.4.3-1.1

    An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

  • CVE-2024-45337CriDec 12, 2024
    affected < 3.2.3-1.1fixed 3.2.3-1.1

    Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that

  • CVE-2024-51744LowNov 4, 2024
    affected < 3.2.1-1.1fixed 3.2.1-1.1

    golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors r

  • CVE-2024-45410CriSep 19, 2024
    affected < 3.1.4-1.1fixed 3.1.4-1.1

    Traefik is a golang, Cloud Native Application Proxy. When a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added by Traefik before the request is routed to the application. For a HTTP client, it should not be possible t

  • CVE-2024-39321HigJul 5, 2024
    affected < 3.0.4-2.1fixed 3.0.4-2.1

    Traefik is an HTTP reverse proxy and load balancer. Versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3 have a vulnerability that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. Versions 2.11.6, 3.0.4, and 3.1.0-r

  • CVE-2024-6104MedJun 24, 2024
    affected < 3.1.2-1.1fixed 3.1.2-1.1

    go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.

  • CVE-2024-4533MedMay 27, 2024
    affected < 3.4.3-1.1fixed 3.4.3-1.1

    The KKProgressbar2 Free WordPress plugin through 1.1.4.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admin users to perform SQL injection attacks

  • CVE-2024-4068HigMay 14, 2024
    affected < 3.1.2-1.1fixed 3.1.2-1.1

    The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program

  • CVE-2024-24788MedMay 8, 2024
    affected < 3.0.1-1.1fixed 3.0.1-1.1

    A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.

  • CVE-2024-28869HigApr 12, 2024
    affected < 2.11.2-1.1fixed 2.11.2-1.1

    Traefik is an HTTP reverse proxy and load balancer. In affected versions sending a GET request to any Traefik endpoint with the "Content-length" request header results in an indefinite hang with the default configuration. This vulnerability can be exploited by attackers to induce

VYPR — Vulnerability Intelligence