CVE-2023-47124
CVSS V2 None
CVSS V3 None
Description
Traefik is an open source HTTP reverse proxy and load balancer. When Traefik is configured to use the `HTTPChallenge` to generate and renew the Let's Encrypt TLS certificates, the delay authorized to solve the challenge (50 seconds) can be exploited by attackers to achieve a `slowloris attack`. This vulnerability has been patch in version 2.10.6 and 3.0.0-beta5. Users are advised to upgrade. Users unable to upgrade should replace the `HTTPChallenge` with the `TLSChallenge` or the `DNSChallenge`.
Overview
- CVE ID
- CVE-2023-47124
- Assigner
- GitHub_M
- Vulnerability Status
- PUBLISHED
- Published Version
- 2023-12-04T20:20:30.727Z
- Last Modified Date
- 2023-12-04T20:20:30.727Z
Weakness Enumerations
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/traefik/traefik/security/advisories/GHSA-8g85-whqh-cr2f | x_refsource_CONFIRM |
| https://doc.traefik.io/traefik/https/acme/#dnschallenge | x_refsource_MISC |
| https://doc.traefik.io/traefik/https/acme/#httpchallenge | x_refsource_MISC |
| https://doc.traefik.io/traefik/https/acme/#tlschallenge | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v2.10.6 | x_refsource_MISC |
| https://github.com/traefik/traefik/releases/tag/v3.0.0-beta5 | x_refsource_MISC |
| ttps://www.cloudflare.com/learning/ddos/ddos-attack-tools/slowloris/ | x_refsource_MISC |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2023-47124 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47124 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2024-06-25 09:13:57 | Added to TrackCVE |