Homepage
About Snyk

Allocation of Resources Without Limits or Throttling Affecting github.com/traefik/traefik/v2/pkg/server package, versions <2.11.2

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Proof of concept
    EPSS
    0.04% (15th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMTRAEFIKTRAEFIKV2PKGSERVER-6615852
  • published 16 Apr 2024
  • disclosed 10 Jan 2024
  • credit Bartek Nowotarski
Report a new vulnerability Found a mistake?

Introduced: 10 Jan 2024

CVE-2023-45288 Open this link in a new tab
CWE-770 Open this link in a new tab

How to fix?

Upgrade github.com/traefik/traefik/v2/pkg/server to version 2.11.2 or higher.

Overview

github.com/traefik/traefik/v2/pkg/server is a server package for traefik, a cloud native edge router.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when reading header data from CONTINUATION frames. As part of the HPACK flow, all incoming HEADERS and CONTINUATION frames are read even if their payloads exceed MaxHeaderBytes and will be discarded. An attacker can send excessive data over a connection to render it unresponsive.

CVSS Scores

version 4.0
version 3.1
Expand this section

Snyk

Recommended
8.7 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Attack Requirements (AT)
    None
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Confidentiality (VC)
    None
  • Integrity (VI)
    None
  • Availability (VA)
    High
  • Confidentiality (SC)
    None
  • Integrity (SI)
    None
  • Availability (SA)
    None