Cyber Resilience

CVE-2024-45410

Critical

Published: 19 September 2024

Published
19 September 2024
Modified
25 September 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1395 94.5th percentile
Risk Priority 28 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45410 is a critical-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Traefik Traefik. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 5.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Traefik is a Go-based cloud native application proxy that adds trusted headers such as X-Forwarded-Host and X-Forwarded-Port to incoming HTTP requests before forwarding them to backend applications. CVE-2024-45410 is a header-manipulation flaw that allows HTTP/1.1 clients to remove or alter these headers by declaring them hop-by-hop through the Connection header, violating the expectation that the proxy alone controls their values. The issue affects all versions prior to the fixes released in 2.11.9 and 3.1.3 and carries a CVSS 3.1 score of 9.8 with CWE-345 and CWE-348.

An unauthenticated remote attacker can send a crafted HTTP/1.1 request that strips or overwrites the proxy-added headers, causing the downstream application to receive attacker-controlled values for host, port, or related forwarding information. Because many applications rely on these headers for routing, authentication, or access-control decisions, successful exploitation can lead to request smuggling, unauthorized access, or other integrity and confidentiality impacts without requiring any user interaction.

The official Traefik security advisory GHSA-62c8-mh53-4cqv and the corresponding release notes for versions 2.11.9 and 3.1.3 state that the vulnerability has been resolved and that no workarounds exist; users must upgrade to a patched release. The current EPSS score of 0.1395 with a peak of 0.1427 shows no material post-disclosure rise that would indicate emerging exploitation interest.

EU & UK References

Vulnerability details

Traefik is a golang, Cloud Native Application Proxy. When a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added by Traefik before the request is routed to the application. For a HTTP client,…

more

it should not be possible to remove or modify these headers. Since the application trusts the value of these headers, security implications might arise, if they can be modified. For HTTP/1.1, however, it was found that some of theses custom headers can indeed be removed and in certain cases manipulated. The attack relies on the HTTP/1.1 behavior, that headers can be defined as hop-by-hop via the HTTP Connection header. This issue has been addressed in release versions 2.11.9 and 3.1.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

traefik
traefik
≤ 2.11.9 · 3.0.0 — 3.1.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-345 CWE-348

Requires explicit verification of data authenticity from authoritative sources, preventing acceptance of unauthenticated resolution responses.

addresses: CWE-345

Directly requires independent verification of matching output before adverse decisions, mitigating insufficient authenticity checks on data from external sources.

addresses: CWE-345

Use of approved PKI certificates provides verifiable data authenticity and origin for communications and artifacts.

addresses: CWE-345

Mandates provision of authenticity and integrity artifacts that enable verification of name/address resolution data.

addresses: CWE-345

Control requires verification of data authenticity/integrity (e.g., checksums) after aggregation/packing, directly reducing exploitation of insufficient verification before transmission.

addresses: CWE-345

Time synchronization supports reliable freshness verification when checking data authenticity across systems or components.

addresses: CWE-345

Mandates verification of data authenticity for software, firmware, and information.

addresses: CWE-345

Provenance documentation and monitoring directly enables verification of authenticity for components and data throughout their history.

References