Miggo Logo
Miggo Vulnerability Database
GHSA-rvj4-q8q5-8grf

GHSA-rvj4-q8q5-8grf: ACME DNS: Azure Identity Libraries Elevation of Privilege Vulnerability

5.5

CVSS Score
3.1

Basic Information

CVE ID
-
GHSA ID
GHSA-rvj4-q8q5-8grf
EPSS Score
-
CWE
CWE-362
Published
6/20/2024
Updated
8/8/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/traefik/traefik/v3go<= 3.0.23.0.3
github.com/traefik/traefik/v2go<= 2.11.42.11.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided data indicates the vulnerability stems from Azure Identity Libraries and a race condition (CWE-362), but no specific vulnerable functions in Traefik's codebase are explicitly identified. The patches involve updating the go-acme/lego dependency to v4.17.4, suggesting the root cause lies in this library's Azure DNS integration. Without commit diffs, code references, or explicit function names from Traefik's code, we cannot confidently pinpoint vulnerable functions within the Traefik packages themselves. The vulnerability likely resides in the interaction between go-acme/lego and Azure SDKs, but insufficient details prevent high-confidence identification of specific Traefik functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T**r* is * vuln*r**ility in [*zur* I**ntity Li*r*ri*s *n* Mi*roso*t *ut**nti**tion Li*r*ry *l*v*tion o* Privil*** Vuln*r**ility](*ttps://nv*.nist.*ov/vuln/**t*il/*V*-****-*****). ### R***r*n**s - [*V*-****-*****](*ttps://nv*.nist.*ov/vu

Reasoning

T** provi*** **t* in*i**t*s t** vuln*r**ility st*ms *rom *zur* I**ntity Li*r*ri*s *n* * r*** *on*ition (*W*-***), *ut no sp**i*i* vuln*r**l* *un*tions in Tr***ik's *o****s* *r* *xpli*itly i**nti*i**. T** p*t***s involv* up**tin* t** *o-**m*/l**o **p*