CVE-2023-47124
Denial of service whith ACME HTTPChallenge in Traefik
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Traefik is an open source HTTP reverse proxy and load balancer. When Traefik is configured to use the `HTTPChallenge` to generate and renew the Let's Encrypt TLS certificates, the delay authorized to solve the challenge (50 seconds) can be exploited by attackers to achieve a `slowloris attack`. This vulnerability has been patch in version 2.10.6 and 3.0.0-beta5. Users are advised to upgrade. Users unable to upgrade should replace the `HTTPChallenge` with the `TLSChallenge` or the `DNSChallenge`.
Traefik es un equilibrador de carga y proxy inverso HTTP de código abierto. Cuando Traefik está configurado para usar `HTTPChallenge` para generar y renovar los certificados TLS de Let's Encrypt, los atacantes pueden aprovechar el retraso autorizado para resolver el desafío (50 segundos) para lograr un `ataque lento`. Esta vulnerabilidad ha sido parcheada en las versiones 2.10.6 y 3.0.0-beta5. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben reemplazar `HTTPChallenge` con `TLSChallenge` o `DNSChallenge`.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-10-30 CVE Reserved
- 2023-12-04 CVE Published
- 2023-12-08 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-772: Missing Release of Resource after Effective Lifetime
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| https://doc.traefik.io/traefik/https/acme/#dnschallenge | Product | |
| https://doc.traefik.io/traefik/https/acme/#httpchallenge | Product | |
| https://doc.traefik.io/traefik/https/acme/#tlschallenge | Product | |
| https://github.com/traefik/traefik/releases/tag/v2.10.6 | Release Notes | |
| https://github.com/traefik/traefik/releases/tag/v3.0.0-beta5 | Release Notes | |
| https://github.com/traefik/traefik/security/advisories/GHSA-8g85-whqh-cr2f | Third Party Advisory | |
| ttps://www.cloudflare.com/learning/ddos/ddos-attack-tools/slowloris | Broken Link |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Traefik Search vendor "Traefik" | Traefik Search vendor "Traefik" for product "Traefik" | <= 2.10.5 Search vendor "Traefik" for product "Traefik" and version " <= 2.10.5" | - |
Affected
| ||||||
| Traefik Search vendor "Traefik" | Traefik Search vendor "Traefik" for product "Traefik" | 3.0.0 Search vendor "Traefik" for product "Traefik" and version "3.0.0" | beta1 |
Affected
| ||||||
| Traefik Search vendor "Traefik" | Traefik Search vendor "Traefik" for product "Traefik" | 3.0.0 Search vendor "Traefik" for product "Traefik" and version "3.0.0" | beta2 |
Affected
| ||||||
| Traefik Search vendor "Traefik" | Traefik Search vendor "Traefik" for product "Traefik" | 3.0.0 Search vendor "Traefik" for product "Traefik" and version "3.0.0" | beta3 |
Affected
| ||||||
| Traefik Search vendor "Traefik" | Traefik Search vendor "Traefik" for product "Traefik" | 3.0.0 Search vendor "Traefik" for product "Traefik" and version "3.0.0" | beta4 |
Affected
| ||||||