PT-2023-30327 · Traefik+1 · Traefik+1

Mikaelgundersen

Published

2023-12-04

Updated

2024-11-19

CVE-2023-47124

CVSS v3.1

5.9

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Traefik versions prior to 2.10.6 Traefik versions prior to 3.0.0-beta5

Description The issue arises when Traefik is configured to use the HTTPChallenge to generate and renew Let's Encrypt TLS certificates. The delay authorized to solve the challenge can be exploited by attackers to achieve a slowloris attack.

Recommendations For versions prior to 2.10.6, upgrade to version 2.10.6 or later. For versions prior to 3.0.0-beta5, upgrade to version 3.0.0-beta5 or later. As a temporary workaround, consider replacing the HTTPChallenge with the TLSChallenge or the DNSChallenge until a patch is applied.

Exploit

Fix

Resource Exhaustion

Missing Release of Resource after Effective Lifetime

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-772

Related Identifiers

ALT-PU-2024-12000

ALT-PU-2024-1254

ALT-PU-2024-1883

ALT-PU-2024-6626

CVE-2023-47124

ECHO-6D34-77D3-0A22

GHSA-8G85-WHQH-CR2F

GO-2023-2381

OPENSUSE-SU-2024:13506-1

OPENSUSE-SU-2024:14076-1

Affected Products

Alt Linux

Traefik

PT-2023-30327 · Traefik+1 · Traefik+1

CVE-2023-47124

Weakness Enumeration

Related Identifiers

Affected Products

References · 33