CVE-2024-52003 MEDIUM

CVE-2024-52003: X-Forwarded-Prefix Header still allows for Open Redirect in traefik

Vendor Traefik

Product traefik

Weakness CWE-601 · Open redirect

Published November 29, 2024

Last update December 2, 2024

View on NVD All CVEs

CVSS base score

6.3/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. There is a vulnerability in Traefik that allows the client to provide the X-Forwarded-Prefix header from an untrusted source. This issue has been addressed in versions 2.11.14 and 3.2.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

November 29, 2024 CVE published

December 2, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-52003 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/601.html

Related vulnerabilities

Identifiers

CVE CVE-2024-52003

CWE CWE-601

CVSS 6.3 / MEDIUM

Affected versions

Vendor Traefik

Product traefik

Affected < 2.11.14

Vendor Traefik

Product traefik

Affected >= 3.0.0, < 3.2.1

CVE-2024-52003: X-Forwarded-Prefix Header still allows for Open Redirect in traefik

01Description

02Disclosure timeline

03References

04Related CVE