CVE-2022-39271

2022-10-1114:15:09

CWE-400

CWE-755

[email protected]

web.nvd.nist.gov

traefik

http/2

vulnerability

denial of service

patch

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

36.3%

JSON

Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer that assists in deploying microservices. There is a potential vulnerability in Traefik managing HTTP/2 connections. A closing HTTP/2 server connection could hang forever because of a subsequent fatal error. This failure mode could be exploited to cause a denial of service. There has been a patch released in versions 2.8.8 and 2.9.0-rc5. There are currently no known workarounds.

Affected configurations

Nvd

Node

traefiktraefikRange<2.8.8

traefiktraefikMatch2.9.0rc1

traefiktraefikMatch2.9.0rc2

traefiktraefikMatch2.9.0rc3

traefiktraefikMatch2.9.0rc4

VendorProductVersionCPE
traefiktraefik*cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*
traefiktraefik2.9.0cpe:2.3:a:traefik:traefik:2.9.0:rc1:*:*:*:*:*:*
traefiktraefik2.9.0cpe:2.3:a:traefik:traefik:2.9.0:rc2:*:*:*:*:*:*
traefiktraefik2.9.0cpe:2.3:a:traefik:traefik:2.9.0:rc3:*:*:*:*:*:*
traefiktraefik2.9.0cpe:2.3:a:traefik:traefik:2.9.0:rc4:*:*:*:*:*:*

Vendor	Product	Version	CPE
traefik	traefik	*	cpe:2.3:a:traefik:traefik::::::::
traefik	traefik	2.9.0	cpe:2.3:a:traefik:traefik:2.9.0:rc1::::::
traefik	traefik	2.9.0	cpe:2.3:a:traefik:traefik:2.9.0:rc2::::::
traefik	traefik	2.9.0	cpe:2.3:a:traefik:traefik:2.9.0:rc3::::::
traefik	traefik	2.9.0	cpe:2.3:a:traefik:traefik:2.9.0:rc4::::::