New Security Updates for Traefik 2.10 and 3.0.0-beta

nicomengin · October 13, 2023, 8:10am

On October 6, 2023, Go published CVE-2023-39325 to solve the issue described in CVE-2023-44487. These describe a vulnerability in Go managing HTTP/2 requests, which impacts Traefik.

This vulnerability could be exploited to cause a denial of service.

As of October 12, 2023, We have patched this vulnerability with Traefik Proxy 2.10.5 and Traefik Proxy 3.0.0-beta4.

You can find more information in the Github Advisory we’ve published.

If you have any questions or comments about this advisory, please add a comment.

ade-owasp-sf · October 17, 2023, 3:33pm

Hi, it looks like now, or before, there is CVE-2023-28840 affecting the updated image. Any plan to fix for CVE-2023-28840 soon? In the meantime, any advice on how to manually patch for this issue? Thanks.

svx · October 19, 2023, 1:32pm

Hi @ade-owasp-sf, thanks for your interest in Traefik!

Please be sure that we analyze all CVEs related to Traefik and guarantee their treatment in the shortest possible time when we are impacted by them.

Traefik is not impacted by this CVE.
Traefik uses a small part of the API client, the CVE is not about something used in Traefik.

Potential false positives related to vulnerability scanning tools are a known issue.

Topic		Replies	Views
CVE vulnerability Traefik CVE-2022-41717 Traefik v2 (latest) file	2	329	December 7, 2022
CVE vulnerability CVE-2021-41103 and CVE-2021-43816 Traefik v2 (latest) middleware	3	414	February 9, 2022
New Security Updates for Traefik 2.9 and 2.10 Traefik v2 (latest)	0	395	April 13, 2023
CVE vulnerability Traefik CVE-2022-29153 Traefik v2 (latest) cli	2	401	September 22, 2022
Cve-2023-24534, cve-2023-24536 Traefik v2 (latest) kubernetes-ingress	2	441	April 12, 2023

New Security Updates for Traefik 2.10 and 3.0.0-beta

Related Topics