New Security Updates for Traefik 2.10 and 3.0.0-beta

nicomengin · October 13, 2023, 8:10am

On October 6, 2023, Go published CVE-2023-39325 to solve the issue described in CVE-2023-44487. These describe a vulnerability in Go managing HTTP/2 requests, which impacts Traefik.

This vulnerability could be exploited to cause a denial of service.

As of October 12, 2023, We have patched this vulnerability with Traefik Proxy 2.10.5 and Traefik Proxy 3.0.0-beta4.

You can find more information in the Github Advisory we’ve published.

If you have any questions or comments about this advisory, please add a comment.

ade-owasp-sf · October 17, 2023, 3:33pm

Hi, it looks like now, or before, there is CVE-2023-28840 affecting the updated image. Any plan to fix for CVE-2023-28840 soon? In the meantime, any advice on how to manually patch for this issue? Thanks.

svx · October 19, 2023, 1:32pm

Hi @ade-owasp-sf, thanks for your interest in Traefik!

Please be sure that we analyze all CVEs related to Traefik and guarantee their treatment in the shortest possible time when we are impacted by them.

Traefik is not impacted by this CVE.
Traefik uses a small part of the API client, the CVE is not about something used in Traefik.

Potential false positives related to vulnerability scanning tools are a known issue.

Topic		Replies	Views
New Security Updates for Traefik 2.10 (2.10.6) and 3.0 (3.0.0-beta5) Announcements	0	569	December 4, 2023
CVE vulnerability Traefik CVE-2022-41717 Traefik v2 file	2	380	December 7, 2022
Is Traefik vulnerable to CVE-2023-44487? Traefik v2 kubernetes-crd , kubernetes-ingress	11	7779	October 19, 2023
CVE vulnerability CVE-2021-41103 and CVE-2021-43816 Traefik v2 middleware	3	467	February 9, 2022
New Security Updates for Traefik 2.9 and 2.10 Traefik v2	0	470	April 13, 2023

New Security Updates for Traefik 2.10 and 3.0.0-beta

Related topics