CVE-2024-39321 - Vulnerability Details - OpenCVE

Traefik is an HTTP reverse proxy and load balancer. Versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3 have a vulnerability that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. Versions 2.11.6, 3.0.4, and 3.1.0-rc3 contain a patch for this issue. No known workarounds are available.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://github.com/traefik/traefik/releases/tag/v2.11.6
https://github.com/traefik/traefik/releases/tag/v3.0.4
https://github.com/traefik/traefik/releases/tag/v3.1.0-rc3
https://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9
https://nvd.nist.gov/vuln/detail/CVE-2024-39321
https://www.cve.org/CVERecord?id=CVE-2024-39321

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-07-05T17:32:06.688Z

Updated: 2024-08-02T04:19:20.719Z

Reserved: 2024-06-21T18:15:22.263Z

Link: CVE-2024-39321

Vulnrichment

Updated: 2024-07-05T20:07:09.952Z

NVD

Status : Awaiting Analysis

Published: 2024-07-05T18:15:32.430

Modified: 2024-11-21T09:27:27.390

Link: CVE-2024-39321

Redhat

Severity : Moderate

Publid Date: 2024-07-04T00:00:00Z

Links: CVE-2024-39321 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-39321", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-21T18:15:22.263Z", "datePublished": "2024-07-05T17:32:06.688Z", "dateUpdated": "2024-08-02T04:19:20.719Z"}, "containers": {"cna": {"title": "Traefik vulnerable to bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9"}, {"name": "https://github.com/traefik/traefik/releases/tag/v2.11.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v2.11.6"}, {"name": "https://github.com/traefik/traefik/releases/tag/v3.0.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v3.0.4"}, {"name": "https://github.com/traefik/traefik/releases/tag/v3.1.0-rc3", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v3.1.0-rc3"}], "affected": [{"vendor": "traefik", "product": "traefik", "versions": [{"version": "< 2.11.6", "status": "affected"}, {"version": ">= 3.0.0-beta3, < 3.0.4", "status": "affected"}, {"version": ">= 3.1.0-rc1, < 3.1.0-rc3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-05T17:32:06.688Z"}, "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3 have a vulnerability that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. Versions 2.11.6, 3.0.4, and 3.1.0-rc3 contain a patch for this issue. No known workarounds are available."}], "source": {"advisory": "GHSA-gxrv-wf35-62w9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-05T20:07:02.660742Z", "id": "CVE-2024-39321", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T20:07:14.424Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:19:20.719Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9"}, {"name": "https://github.com/traefik/traefik/releases/tag/v2.11.6", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/traefik/traefik/releases/tag/v2.11.6"}, {"name": "https://github.com/traefik/traefik/releases/tag/v3.0.4", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/traefik/traefik/releases/tag/v3.0.4"}, {"name": "https://github.com/traefik/traefik/releases/tag/v3.1.0-rc3", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/traefik/traefik/releases/tag/v3.1.0-rc3"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-39321", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-05T20:07:02.660742Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T20:07:09.952Z"}}], "cna": {"title": "Traefik vulnerable to bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes", "source": {"advisory": "GHSA-gxrv-wf35-62w9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "traefik", "product": "traefik", "versions": [{"status": "affected", "version": "< 2.11.6"}, {"status": "affected", "version": ">= 3.0.0-beta3, < 3.0.4"}, {"status": "affected", "version": ">= 3.1.0-rc1, < 3.1.0-rc3"}]}], "references": [{"url": "https://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9", "name": "https://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v2.11.6", "name": "https://github.com/traefik/traefik/releases/tag/v2.11.6", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v3.0.4", "name": "https://github.com/traefik/traefik/releases/tag/v3.0.4", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v3.1.0-rc3", "name": "https://github.com/traefik/traefik/releases/tag/v3.1.0-rc3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3 have a vulnerability that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. Versions 2.11.6, 3.0.4, and 3.1.0-rc3 contain a patch for this issue. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-05T17:32:06.688Z"}}}, "cveMetadata": {"cveId": "CVE-2024-39321", "state": "PUBLISHED", "dateUpdated": "2024-07-05T20:07:14.424Z", "dateReserved": "2024-06-21T18:15:22.263Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-07-05T17:32:06.688Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3 have a vulnerability that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. Versions 2.11.6, 3.0.4, and 3.1.0-rc3 contain a patch for this issue. No known workarounds are available."}, {"lang": "es", "value": "Traefik es un proxy inverso HTTP y un equilibrador de carga. Las versiones anteriores a 2.11.6, 3.0.4 y 3.1.0-rc3 tienen una vulnerabilidad que permite eludir las listas de direcciones IP permitidas a trav\u00e9s de solicitudes de datos tempranas HTTP/3 en protocolos de enlace QUIC 0-RTT enviados con direcciones IP falsificadas. Las versiones 2.11.6, 3.0.4 y 3.1.0-rc3 contienen un parche para este problema. No hay soluciones conocidas disponibles."}], "id": "CVE-2024-39321", "lastModified": "2024-11-21T09:27:27.390", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-07-05T18:15:32.430", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/traefik/traefik/releases/tag/v2.11.6"}, {"source": "security-advisories@github.com", "url": "https://github.com/traefik/traefik/releases/tag/v3.0.4"}, {"source": "security-advisories@github.com", "url": "https://github.com/traefik/traefik/releases/tag/v3.1.0-rc3"}, {"source": "security-advisories@github.com", "url": "https://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/traefik/traefik/releases/tag/v2.11.6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/traefik/traefik/releases/tag/v3.0.4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/traefik/traefik/releases/tag/v3.1.0-rc3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "traefik: Bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes", "id": "2296009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2296009"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-639", "details": ["Traefik is an HTTP reverse proxy and load balancer. Versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3 have a vulnerability that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. Versions 2.11.6, 3.0.4, and 3.1.0-rc3 contain a patch for this issue. No known workarounds are available.", "An authorization bypass vulnerability was found in Traefik. This flaw allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-39321", "package_state": [{"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Affected", "package_name": "devspaces/devspaces-rhel8-operator", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Affected", "package_name": "devspaces/traefik-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/argo-rollouts-rhel8", "product_name": "Red Hat OpenShift GitOps"}], "public_date": "2024-07-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-39321\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-39321\nhttps://github.com/traefik/traefik/releases/tag/v2.11.6\nhttps://github.com/traefik/traefik/releases/tag/v3.0.4\nhttps://github.com/traefik/traefik/releases/tag/v3.1.0-rc3\nhttps://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9"], "statement": "The vulnerability in Traefik that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes, while notable, is categorized as moderate severity rather than important. This classification stems from the requirement for an attacker to leverage HTTP/3's early data feature and perform spoofed IP address manipulation to exploit the flaw. As a result, successful exploitation demands specific conditions, including network-level access and manipulation capabilities, which may not be trivial in many environments.", "threat_severity": "Moderate"}