GMS-2022-5243: Traefik HTTP/2 connections management could cause a denial of service

October 10, 2022

Impact

There is a potential vulnerability in Traefik managing HTTP/2 connections. A closing HTTP/2 server connection could hang forever because of a subsequent fatal error. This failure mode could be exploited to cause a denial of service.

Patches

Traefik v2.8.x: https://github.com/traefik/traefik/releases/tag/v2.8.8 Traefik v2.9.x: https://github.com/traefik/traefik/releases/tag/v2.9.0-rc5

Workarounds

No workaround.

For more information

If you have any questions or comments about this advisory, please open an issue.

References

github.com/advisories/GHSA-c6hx-pjc3-7fqr
github.com/traefik/traefik/releases/tag/v2.8.8
github.com/traefik/traefik/releases/tag/v2.9.0-rc5
github.com/traefik/traefik/security/advisories/GHSA-c6hx-pjc3-7fqr

Code Behaviors & Features

Detect and mitigate GMS-2022-5243 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →