Base Score

MEDIUM5.9

CVE-2023-47124

Traefik is an open source HTTP reverse proxy and load balancer. When Traefik is configured to use the `HTTPChallenge` to generate and renew the Let's Encrypt TLS certificates, the delay authorized to solve the challenge (50 seconds) can be exploited by attackers to achieve a `slowloris attack`. This vulnerability has been patch in version 2.10.6 and 3.0.0-beta5. Users are advised to upgrade. Users unable to upgrade should replace the `HTTPChallenge` with the `TLSChallenge` or the `DNSChallenge`.

VectorNETWORK

Published Bysecurity-advisories@github.com

Published DateDec 04, 2023, 21:15

Affected Versions(2)

github.com/traefik/traefik/v2(Go)

Introduced0

Fixed2.10.6

LimitN/A

github.com/traefik/traefik/v3(Go)

Introduced0

Fixed3.0.0-beta5

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
github.com/traefik/traefik/v2(Go)	0	2.10.6	N/A
github.com/traefik/traefik/v3(Go)	0	3.0.0-beta5	N/A

Weakness Type (CWE):CWE-772

CVSS Metrics

Base Score

5.9

Vector String

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

HIGH

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

NONE

Availability (A)

HIGH

References

Base Score

MEDIUM5.9

Weakness Type (CWE):CWE-772

CVSS Metrics

Base Score

5.9

Vector String

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

HIGH

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

NONE

Availability (A)

HIGH

CVE-2023-47124

VectorNETWORK

Published Bysecurity-advisories@github.com

Published DateDec 04, 2023, 21:15

Package (Ecosystem)

Introduced

Fixed

Limit

github.com/traefik/traefik/v2(Go)

2.10.6

N/A

github.com/traefik/traefik/v3(Go)

3.0.0-beta5

N/A