rpm package
opensuse/traefik2&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/traefik2&distro=openSUSE%20Tumbleweed
Vulnerabilities (50)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-22872 | Med | 6.5 | < 2.11.26-1.1 | 2.11.26-1.1 | Apr 16, 2025 | The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul | |
| CVE-2025-22871 | Cri | 9.1 | < 2.11.26-1.1 | 2.11.26-1.1 | Apr 8, 2025 | The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext. | |
| CVE-2025-30204 | Hig | 7.5 | < 2.11.28-1.1 | 2.11.28-1.1 | Mar 21, 2025 | golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a maliciou | |
| CVE-2025-22868 | — | < 2.11.26-1.1 | 2.11.26-1.1 | Feb 26, 2025 | An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. | ||
| CVE-2025-22869 | — | < 2.11.26-1.1 | 2.11.26-1.1 | Feb 26, 2025 | SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted. | ||
| CVE-2025-27144 | Med | — | < 2.11.26-1.1 | 2.11.26-1.1 | Feb 24, 2025 | Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when par | |
| CVE-2024-45338 | Med | 5.3 | < 2.11.26-1.1 | 2.11.26-1.1 | Dec 18, 2024 | An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service. | |
| CVE-2024-45337 | Cri | 9.1 | < 2.11.16-1.1 | 2.11.16-1.1 | Dec 12, 2024 | Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that | |
| CVE-2024-51744 | Low | 3.1 | < 2.11.14-1.1 | 2.11.14-1.1 | Nov 4, 2024 | golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors r | |
| CVE-2024-45410 | — | < 2.11.10-1.1 | 2.11.10-1.1 | Sep 19, 2024 | Traefik is a golang, Cloud Native Application Proxy. When a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added by Traefik before the request is routed to the application. For a HTTP client, it should not be possible t | ||
| CVE-2024-39321 | — | < 2.11.6-2.1 | 2.11.6-2.1 | Jul 5, 2024 | Traefik is an HTTP reverse proxy and load balancer. Versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3 have a vulnerability that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. Versions 2.11.6, 3.0.4, and 3.1.0-r | ||
| CVE-2024-6104 | — | < 2.11.8-1.1 | 2.11.8-1.1 | Jun 24, 2024 | go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7. | ||
| CVE-2024-4068 | — | < 2.11.8-1.1 | 2.11.8-1.1 | May 13, 2024 | The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program | ||
| CVE-2024-24788 | Med | 5.9 | < 2.11.5-1.1 | 2.11.5-1.1 | May 8, 2024 | A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop. | |
| CVE-2024-28869 | — | < 2.11.5-1.1 | 2.11.5-1.1 | Apr 12, 2024 | Traefik is an HTTP reverse proxy and load balancer. In affected versions sending a GET request to any Traefik endpoint with the "Content-length" request header results in an indefinite hang with the default configuration. This vulnerability can be exploited by attackers to induce | ||
| CVE-2023-45288 | Hig | 7.5 | < 2.11.5-1.1 | 2.11.5-1.1 | Apr 4, 2024 | An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma | |
| CVE-2024-28180 | — | < 2.11.26-1.1 | 2.11.26-1.1 | Mar 9, 2024 | Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now ret | ||
| CVE-2023-47633 | — | < 2.11.5-1.1 | 2.11.5-1.1 | Dec 4, 2023 | Traefik is an open source HTTP reverse proxy and load balancer. The traefik docker container uses 100% CPU when it serves as its own backend, which is an automatically generated route resulting from the Docker integration in the default configuration. This issue has been addresse | ||
| CVE-2023-47106 | — | < 2.11.5-1.1 | 2.11.5-1.1 | Dec 4, 2023 | Traefik is an open source HTTP reverse proxy and load balancer. When a request is sent to Traefik with a URL fragment, Traefik automatically URL encodes and forwards the fragment to the backend server. This violates RFC 7230 because in the origin-form the URL should only contain | ||
| CVE-2023-47124 | — | < 2.11.5-1.1 | 2.11.5-1.1 | Dec 4, 2023 | Traefik is an open source HTTP reverse proxy and load balancer. When Traefik is configured to use the `HTTPChallenge` to generate and renew the Let's Encrypt TLS certificates, the delay authorized to solve the challenge (50 seconds) can be exploited by attackers to achieve a `slo |
- affected < 2.11.26-1.1fixed 2.11.26-1.1
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul
- affected < 2.11.26-1.1fixed 2.11.26-1.1
The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
- affected < 2.11.28-1.1fixed 2.11.28-1.1
golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a maliciou
- CVE-2025-22868Feb 26, 2025affected < 2.11.26-1.1fixed 2.11.26-1.1
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
- CVE-2025-22869Feb 26, 2025affected < 2.11.26-1.1fixed 2.11.26-1.1
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
- affected < 2.11.26-1.1fixed 2.11.26-1.1
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when par
- affected < 2.11.26-1.1fixed 2.11.26-1.1
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
- affected < 2.11.16-1.1fixed 2.11.16-1.1
Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that
- affected < 2.11.14-1.1fixed 2.11.14-1.1
golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors r
- CVE-2024-45410Sep 19, 2024affected < 2.11.10-1.1fixed 2.11.10-1.1
Traefik is a golang, Cloud Native Application Proxy. When a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added by Traefik before the request is routed to the application. For a HTTP client, it should not be possible t
- CVE-2024-39321Jul 5, 2024affected < 2.11.6-2.1fixed 2.11.6-2.1
Traefik is an HTTP reverse proxy and load balancer. Versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3 have a vulnerability that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. Versions 2.11.6, 3.0.4, and 3.1.0-r
- CVE-2024-6104Jun 24, 2024affected < 2.11.8-1.1fixed 2.11.8-1.1
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.
- CVE-2024-4068May 13, 2024affected < 2.11.8-1.1fixed 2.11.8-1.1
The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program
- affected < 2.11.5-1.1fixed 2.11.5-1.1
A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.
- CVE-2024-28869Apr 12, 2024affected < 2.11.5-1.1fixed 2.11.5-1.1
Traefik is an HTTP reverse proxy and load balancer. In affected versions sending a GET request to any Traefik endpoint with the "Content-length" request header results in an indefinite hang with the default configuration. This vulnerability can be exploited by attackers to induce
- affected < 2.11.5-1.1fixed 2.11.5-1.1
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma
- CVE-2024-28180Mar 9, 2024affected < 2.11.26-1.1fixed 2.11.26-1.1
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now ret
- CVE-2023-47633Dec 4, 2023affected < 2.11.5-1.1fixed 2.11.5-1.1
Traefik is an open source HTTP reverse proxy and load balancer. The traefik docker container uses 100% CPU when it serves as its own backend, which is an automatically generated route resulting from the Docker integration in the default configuration. This issue has been addresse
- CVE-2023-47106Dec 4, 2023affected < 2.11.5-1.1fixed 2.11.5-1.1
Traefik is an open source HTTP reverse proxy and load balancer. When a request is sent to Traefik with a URL fragment, Traefik automatically URL encodes and forwards the fragment to the backend server. This violates RFC 7230 because in the origin-form the URL should only contain
- CVE-2023-47124Dec 4, 2023affected < 2.11.5-1.1fixed 2.11.5-1.1
Traefik is an open source HTTP reverse proxy and load balancer. When Traefik is configured to use the `HTTPChallenge` to generate and renew the Let's Encrypt TLS certificates, the delay authorized to solve the challenge (50 seconds) can be exploited by attackers to achieve a `slo
Page 2 of 3