Insufficient Verification of Data Authenticity Affecting github.com/traefik/traefik/pkg/middlewares/auth package, versions *


Severity

Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.05% (24th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKPKGMIDDLEWARESAUTH-8062133
  • published20 Sept 2024
  • disclosed19 Sept 2024
  • creditdrolmat

Introduced: 19 Sep 2024

CVE-2024-45410  (opens in a new tab)
CWE-345  (opens in a new tab)

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity through the manipulation of HTTP headers in the HTTP/1.1 protocol. An attacker can alter or remove headers such as X-Forwarded-Host, potentially leading to security implications like access control bypass or data leakage by specifying these headers as hop-by-hop in the Connection header.

Note:

This is only exploitable if the backend application trusts the headers set by Traefik without revalidating them.

CVSS Scores

version 4.0
version 3.1