Potential CVEs in v2.10.7


Our scanner found some CVEs in Traefik v2.10.7 so I was wondering if anyone would be able to tell me which are false positives or not. I realize that Traefik v2.10.7 is unsupported now so I'm not expecting anything to get updated or fixed, but it would be nice to know which of these can be dismissed and which will be affecting the Traefik version my team is using until we can update to v3.0.0.

I've already gone through the forum and eliminated the CVEs that have already been discussed, but there were a couple that hadn't been brought up before:

There's also a fair number of moderate CVEs:

  • CVE-2024-23651
  • CVE-2024-23650
  • CVE-2024-22189
  • CVE-2024-28180
  • CVE-2024-24786
  • CVE-2023-45857
  • CVE-2024-24784
  • CVE-2022-25883

Why don’t you upgrade to v2.11?

Did you search the forum ("CVE") and read related posts like this one?

We can't upgrade to 2.11 because it is built with Go 1.22. I work at Red Hat and we try to use internal containers as base images, and the latest Go version available there is 1.20 for RHEL 8 and 1.21 for RHEL 9. We fully intend to move to v3.0.0 as soon as 1.22 is available internally, but since my team doesn't control that timeline we were wondering if it'd be possible to get confirmation on these in the meantime.

I did go through the other CVE threads, including the one you linked. I've already eliminated those as false positives and they aren't included in the list above. Some of the moby CVEs were dismissed because traefik only uses the Docker API, and CVE's CVE-2024-23653, CVE-2024-23652, CVE-2024-23651 and CVE-2024-23650 are about buildkit which does provide APIs.

Hello, we (traefik maintainers) maintain only v3.0 and v2.11.

Using Go 1.20 is a security issue because the Go team only provides security fixes on the 2 latest minor versions (go1.21 and go1.22)

Using Traefik v2.10 is also a security issue because we only maintain (and so provide security fixes) v3.0 and v2.11.


OK, thank you for taking the time to respond!

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.