CVE-2024-28869: Traefik vulnerable to denial of service with Content-length header
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.30157%
CWE
Published
4/12/2024
Updated
4/15/2024
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/traefik/traefik/v3 | go | >= 3.0.0-beta3, <= 3.0.0-rc4 | 3.0.0-rc5 |
| github.com/traefik/traefik/v2 | go | <= 2.11.1 | 2.11.2 |
| github.com/traefik/traefik | go | <= 2.11.1 | 2.11.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper handling of requests with Content-Length headers and no body, causing Traefik to wait indefinitely. The patch explicitly changes the DefaultReadTimeout from 5s to 60s in static_config.go, indicating this configuration value directly influenced the timeout behavior. The CWE-404 (resource shutdown failure) and CWE-755 (exceptional condition mishandling) align with the lack of proper timeout enforcement. While no specific request-handling function is named in the provided data, the DefaultReadTimeout constant's role in configuring server timeouts makes it the clearest vulnerable component.