{ "file_item": { "filepath": "security-advisories", "filename": "CERT-EU-SA2024-102.pdf" }, "title": "Traefik Critical Vulnerability", "serial_number": "2024-102", "publish_date": "24-09-2024 11:48:58", "description": "On September 19, 2024, a security advisory was issued regarding a critical vulnerability, CVE-2024-45410, affecting Traefik. This vulnerability could allow an attacker to execute arbitrary commands via crafted HTTP requests, posing a significant risk to exposed services.
\nImmediate updates are recommended for all affected installations.
\n", "url_title": "2024-102", "content_markdown": "---\ntitle: 'Traefik Critical Vulnerability'\nnumber: '2024-102'\nversion: '1.0'\noriginal_date: 'September 19, 2024'\ndate: 'September 24, 2024'\n---\n\n_History:_\n\n* _24/09/2024 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn September 19, 2024, a security advisory was issued regarding a critical vulnerability, **CVE-2024-45410**, affecting Traefik. This vulnerability could allow an attacker to execute arbitrary commands via crafted HTTP requests, posing a significant risk to exposed services [1,2].\n\nImmediate updates are recommended for all affected installations.\n\n# Technical Details\n\nThe vulnerability **CVE-2024-45410** has a CVSS score of 9.8 out of 10. It allows remote code execution due to improper validation of input.\n\nThe vulnerability arises from Traefik's handling of HTTP headers which are added during request processing. It was found that certain custom headers could be removed or manipulated due to HTTP/1.1 behaviour allowing hop-by-hop headers via the Connection header. There are no known workarounds [1,2].\n\n# Affected Products\n\n- Traefik versions prior to **2.11.9** and **3.1.3** [3,4]\n\n# Recommendations\n\nCERT-EU strongly recommends updating as soon as possible to mitigate the risk of exploitation. \n\n# References\n\n[1] \n\n[2] \n\n[3] \n\n[4] ", "content_html": "

History:

  • 24/09/2024 --- v1.0 -- Initial publication

Summary

On September 19, 2024, a security advisory was issued regarding a critical vulnerability, CVE-2024-45410, affecting Traefik. This vulnerability could allow an attacker to execute arbitrary commands via crafted HTTP requests, posing a significant risk to exposed services [1,2].

Immediate updates are recommended for all affected installations.

Technical Details

The vulnerability CVE-2024-45410 has a CVSS score of 9.8 out of 10. It allows remote code execution due to improper validation of input.

The vulnerability arises from Traefik's handling of HTTP headers which are added during request processing. It was found that certain custom headers could be removed or manipulated due to HTTP/1.1 behaviour allowing hop-by-hop headers via the Connection header. There are no known workarounds [1,2].

Affected Products

  • Traefik versions prior to 2.11.9 and 3.1.3 [3,4]

Recommendations

CERT-EU strongly recommends updating as soon as possible to mitigate the risk of exploitation.

References

[1] https://github.com/traefik/traefik/security/advisories/GHSA-62c8-mh53-4cqv

[2] https://nvd.nist.gov/vuln/detail/CVE-2024-45410

[3] https://github.com/traefik/traefik/releases/tag/v3.1.3

[4] https://github.com/traefik/traefik/releases/tag/v2.11.9

", "licence": { "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)", "link": "https://creativecommons.org/licenses/by/4.0/", "restrictions": "https://cert.europa.eu/legal-notice", "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies" } }