Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
HTTP client can remove the X-Forwarded headers in Traefik
Vulnerability Description
Traefik is a golang, Cloud Native Application Proxy. When a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added by Traefik before the request is routed to the application. For a HTTP client, it should not be possible to remove or modify these headers. Since the application trusts the value of these headers, security implications might arise, if they can be modified. For HTTP/1.1, however, it was found that some of theses custom headers can indeed be removed and in certain cases manipulated. The attack relies on the HTTP/1.1 behavior, that headers can be defined as hop-by-hop via the HTTP Connection header. This issue has been addressed in release versions 2.11.9 and 3.1.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
对数据真实性的验证不充分
Vulnerability Title
Traefik 安全漏洞
Vulnerability Description
Traefik是Traefik开源的一款开源的反向代理与负载均衡工具。 Traefik 2.11.8及之前版本和v3.1.2及之前版本存在安全漏洞,该漏洞源于HTTP/1.1协议下通过HTTP Connection头定义某些特定HTTP头作为跳跃头,导致这些头可以被移除或在某些情况下被篡改。
CVSS Information
N/A
Vulnerability Type
N/A