New Security Updates for Traefik 2.10 and 3.0.0-beta

On October 6, 2023, Go published CVE-2023-39325 to solve the issue described in CVE-2023-44487. These describe a vulnerability in Go managing HTTP/2 requests, which impacts Traefik.

This vulnerability could be exploited to cause a denial of service.

As of October 12, 2023, We have patched this vulnerability with Traefik Proxy 2.10.5 and Traefik Proxy 3.0.0-beta4.

You can find more information in the Github Advisory we’ve published.

If you have any questions or comments about this advisory, please add a comment.

Hi, it looks like now, or before, there is CVE-2023-28840 affecting the updated image. Any plan to fix for CVE-2023-28840 soon? In the meantime, any advice on how to manually patch for this issue? Thanks.

Hi @ade-owasp-sf, thanks for your interest in Traefik!

Please be sure that we analyze all CVEs related to Traefik and guarantee their treatment in the shortest possible time when we are impacted by them.

Traefik is not impacted by this CVE.
Traefik uses a small part of the API client, the CVE is not about something used in Traefik.

Potential false positives related to vulnerability scanning tools are a known issue.