CVE-2024-45410
Published: 19 September 2024
Summary
CVE-2024-45410 is a critical-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Traefik Traefik. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 5.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Traefik is a Go-based cloud native application proxy that adds trusted headers such as X-Forwarded-Host and X-Forwarded-Port to incoming HTTP requests before forwarding them to backend applications. CVE-2024-45410 is a header-manipulation flaw that allows HTTP/1.1 clients to remove or alter these headers by declaring them hop-by-hop through the Connection header, violating the expectation that the proxy alone controls their values. The issue affects all versions prior to the fixes released in 2.11.9 and 3.1.3 and carries a CVSS 3.1 score of 9.8 with CWE-345 and CWE-348.
An unauthenticated remote attacker can send a crafted HTTP/1.1 request that strips or overwrites the proxy-added headers, causing the downstream application to receive attacker-controlled values for host, port, or related forwarding information. Because many applications rely on these headers for routing, authentication, or access-control decisions, successful exploitation can lead to request smuggling, unauthorized access, or other integrity and confidentiality impacts without requiring any user interaction.
The official Traefik security advisory GHSA-62c8-mh53-4cqv and the corresponding release notes for versions 2.11.9 and 3.1.3 state that the vulnerability has been resolved and that no workarounds exist; users must upgrade to a patched release. The current EPSS score of 0.1395 with a peak of 0.1427 shows no material post-disclosure rise that would indicate emerging exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2723
Vulnerability details
Traefik is a golang, Cloud Native Application Proxy. When a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added by Traefik before the request is routed to the application. For a HTTP client,…
more
it should not be possible to remove or modify these headers. Since the application trusts the value of these headers, security implications might arise, if they can be modified. For HTTP/1.1, however, it was found that some of theses custom headers can indeed be removed and in certain cases manipulated. The attack relies on the HTTP/1.1 behavior, that headers can be defined as hop-by-hop via the HTTP Connection header. This issue has been addressed in release versions 2.11.9 and 3.1.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requires explicit verification of data authenticity from authoritative sources, preventing acceptance of unauthenticated resolution responses.
Directly requires independent verification of matching output before adverse decisions, mitigating insufficient authenticity checks on data from external sources.
Use of approved PKI certificates provides verifiable data authenticity and origin for communications and artifacts.
Mandates provision of authenticity and integrity artifacts that enable verification of name/address resolution data.
Control requires verification of data authenticity/integrity (e.g., checksums) after aggregation/packing, directly reducing exploitation of insufficient verification before transmission.
Time synchronization supports reliable freshness verification when checking data authenticity across systems or components.
Mandates verification of data authenticity for software, firmware, and information.
Provenance documentation and monitoring directly enables verification of authenticity for components and data throughout their history.