Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-47124

Traefik is an open source HTTP reverse proxy and load balancer. When Traefik is configured to use the `HTTPChallenge` to generate and renew the Let's Encrypt TLS certificates, the delay authorized to solve the challenge (50 seconds) can be exploited by attackers to achieve a `slowloris attack`. This vulnerability has been patch in version 2.10.6 and 3.0.0-beta5. Users are advised to upgrade. Users unable to upgrade should replace the `HTTPChallenge` with the `TLSChallenge` or the `DNSChallenge`.

Published

2023-12-04T21:15:33.850

Last Modified

2024-11-21T08:29:49.663

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.9 (MEDIUM)

Weaknesses

Type: Secondary
CWE-772

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	traefik	traefik	≤ 2.10.5	Yes
Application	traefik	traefik	3.0.0	Yes
Application	traefik	traefik	3.0.0	Yes
Application	traefik	traefik	3.0.0	Yes
Application	traefik	traefik	3.0.0	Yes

References

https://doc.traefik.io/traefik/https/acme/#dnschallenge Product ([email protected])
https://doc.traefik.io/traefik/https/acme/#httpchallenge Product ([email protected])
https://doc.traefik.io/traefik/https/acme/#tlschallenge Product ([email protected])
https://github.com/traefik/traefik/releases/tag/v2.10.6 Release Notes ([email protected])
https://github.com/traefik/traefik/releases/tag/v3.0.0-beta5 Release Notes ([email protected])
https://github.com/traefik/traefik/security/advisories/GHSA-8g85-whqh-cr2f Third Party Advisory ([email protected])
https://www.cloudflare.com/learning/ddos/ddos-attack-tools/slowloris ([email protected])
https://doc.traefik.io/traefik/https/acme/#dnschallenge Product (af854a3a-2127-422b-91ae-364da2661108)
https://doc.traefik.io/traefik/https/acme/#httpchallenge Product (af854a3a-2127-422b-91ae-364da2661108)
https://doc.traefik.io/traefik/https/acme/#tlschallenge Product (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/traefik/traefik/releases/tag/v2.10.6 Release Notes (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/traefik/traefik/releases/tag/v3.0.0-beta5 Release Notes (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/traefik/traefik/security/advisories/GHSA-8g85-whqh-cr2f Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
ttps://www.cloudflare.com/learning/ddos/ddos-attack-tools/slowloris/ (af854a3a-2127-422b-91ae-364da2661108)