Vulnerability Description
Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer that assists in deploying microservices. There is a potential vulnerability in Traefik managing HTTP/2 connections. A closing HTTP/2 server connection could hang forever because of a subsequent fatal error. This failure mode could be exploited to cause a denial of service. There has been a patch released in versions 2.8.8 and 2.9.0-rc5. There are currently no known workarounds.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Traefik | Traefik | < 2.8.8 |
Related Weaknesses (CWE)
References
- https://github.com/traefik/traefik/releases/tag/v2.8.8Release NotesThird Party Advisory
- https://github.com/traefik/traefik/releases/tag/v2.9.0-rc5Release NotesThird Party Advisory
- https://github.com/traefik/traefik/security/advisories/GHSA-c6hx-pjc3-7fqrPatchThird Party Advisory
- https://github.com/traefik/traefik/releases/tag/v2.8.8Release NotesThird Party Advisory
- https://github.com/traefik/traefik/releases/tag/v2.9.0-rc5Release NotesThird Party Advisory
- https://github.com/traefik/traefik/security/advisories/GHSA-c6hx-pjc3-7fqrPatchThird Party Advisory
FAQ
What is CVE-2022-39271?
CVE-2022-39271 is a vulnerability with a CVSS score of 7.5 (HIGH). Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer that assists in deploying microservices. There is a potential vulnerability in Traefik managing HTTP/2 connections. A clos...
How severe is CVE-2022-39271?
CVE-2022-39271 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-39271?
Check the references section above for vendor advisories and patch information. Affected products include: Traefik Traefik.