rpm package
opensuse/traefik&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/traefik&distro=openSUSE%20Tumbleweed
Vulnerabilities (52)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-47106 | — | < 2.10.7-1.1 | 2.10.7-1.1 | Dec 4, 2023 | Traefik is an open source HTTP reverse proxy and load balancer. When a request is sent to Traefik with a URL fragment, Traefik automatically URL encodes and forwards the fragment to the backend server. This violates RFC 7230 because in the origin-form the URL should only contain | ||
| CVE-2023-47124 | — | < 2.10.7-1.1 | 2.10.7-1.1 | Dec 4, 2023 | Traefik is an open source HTTP reverse proxy and load balancer. When Traefik is configured to use the `HTTPChallenge` to generate and renew the Let's Encrypt TLS certificates, the delay authorized to solve the challenge (50 seconds) can be exploited by attackers to achieve a `slo | ||
| CVE-2023-45284 | — | < 2.10.7-1.1 | 2.10.7-1.1 | Nov 9, 2023 | On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now corr | ||
| CVE-2023-45283 | — | < 2.10.7-1.1 | 2.10.7-1.1 | Nov 9, 2023 | The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example, | ||
| CVE-2023-39325 | — | < 2.10.7-1.1 | 2.10.7-1.1 | Oct 11, 2023 | A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack | ||
| CVE-2023-29013 | — | < 2.10.1-1.1 | 2.10.1-1.1 | Apr 14, 2023 | Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer for deploying microservices. There is a vulnerability in Go when parsing the HTTP headers, which impacts Traefik. HTTP header parsing could allocate substantially more memory than required to hold the p | ||
| CVE-2023-24534 | — | < 2.10.1-1.1 | 2.10.1-1.1 | Apr 6, 2023 | HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more m | ||
| CVE-2022-41724 | — | < 2.10.1-1.1 | 2.10.1-1.1 | Feb 28, 2023 | Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly | ||
| CVE-2022-46153 | — | < 2.9.6-1.1 | 2.9.6-1.1 | Dec 8, 2022 | Traefik is an open source HTTP reverse proxy and load balancer. In affected versions there is a potential vulnerability in Traefik managing TLS connections. A router configured with a not well-formatted TLSOption is exposed with an empty TLSOption. For instance, a route secured u | ||
| CVE-2022-23469 | — | < 2.9.6-1.1 | 2.9.6-1.1 | Dec 8, 2022 | Traefik is an open source HTTP reverse proxy and load balancer. Versions prior to 2.9.6 are subject to a potential vulnerability in Traefik displaying the Authorization header in its debug logs. In certain cases, if the log level is set to DEBUG, credentials provided using the Au | ||
| CVE-2022-41717 | — | < 2.9.6-1.1 | 2.9.6-1.1 | Dec 8, 2022 | An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the s | ||
| CVE-2022-28948 | — | < 3.5.1-1.1 | 3.5.1-1.1 | May 19, 2022 | An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input. |
- CVE-2023-47106Dec 4, 2023affected < 2.10.7-1.1fixed 2.10.7-1.1
Traefik is an open source HTTP reverse proxy and load balancer. When a request is sent to Traefik with a URL fragment, Traefik automatically URL encodes and forwards the fragment to the backend server. This violates RFC 7230 because in the origin-form the URL should only contain
- CVE-2023-47124Dec 4, 2023affected < 2.10.7-1.1fixed 2.10.7-1.1
Traefik is an open source HTTP reverse proxy and load balancer. When Traefik is configured to use the `HTTPChallenge` to generate and renew the Let's Encrypt TLS certificates, the delay authorized to solve the challenge (50 seconds) can be exploited by attackers to achieve a `slo
- CVE-2023-45284Nov 9, 2023affected < 2.10.7-1.1fixed 2.10.7-1.1
On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now corr
- CVE-2023-45283Nov 9, 2023affected < 2.10.7-1.1fixed 2.10.7-1.1
The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example,
- CVE-2023-39325Oct 11, 2023affected < 2.10.7-1.1fixed 2.10.7-1.1
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack
- CVE-2023-29013Apr 14, 2023affected < 2.10.1-1.1fixed 2.10.1-1.1
Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer for deploying microservices. There is a vulnerability in Go when parsing the HTTP headers, which impacts Traefik. HTTP header parsing could allocate substantially more memory than required to hold the p
- CVE-2023-24534Apr 6, 2023affected < 2.10.1-1.1fixed 2.10.1-1.1
HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more m
- CVE-2022-41724Feb 28, 2023affected < 2.10.1-1.1fixed 2.10.1-1.1
Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly
- CVE-2022-46153Dec 8, 2022affected < 2.9.6-1.1fixed 2.9.6-1.1
Traefik is an open source HTTP reverse proxy and load balancer. In affected versions there is a potential vulnerability in Traefik managing TLS connections. A router configured with a not well-formatted TLSOption is exposed with an empty TLSOption. For instance, a route secured u
- CVE-2022-23469Dec 8, 2022affected < 2.9.6-1.1fixed 2.9.6-1.1
Traefik is an open source HTTP reverse proxy and load balancer. Versions prior to 2.9.6 are subject to a potential vulnerability in Traefik displaying the Authorization header in its debug logs. In certain cases, if the log level is set to DEBUG, credentials provided using the Au
- CVE-2022-41717Dec 8, 2022affected < 2.9.6-1.1fixed 2.9.6-1.1
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the s
- CVE-2022-28948May 19, 2022affected < 3.5.1-1.1fixed 3.5.1-1.1
An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.
Page 3 of 3