Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Traefik: BasicAuth Middleware Timing Attack Allows Username Enumeration
Vulnerability Description
Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms. When the username does not exist, the response returns immediately in ~0.6ms. This ~298x timing difference is observable over the network and allows an unauthenticated attacker to reliably distinguish valid from invalid usernames. This issue is patched in versions 2.11.41, 3.6.11 and 3.7.0-ea.2.
CVSS Information
N/A
Vulnerability Type
通过时间差异性导致的信息暴露
Vulnerability Title
Traefik 安全漏洞
Vulnerability Description
Traefik是Traefik开源的一款反向代理与负载均衡工具。 Traefik 2.11.40及之前版本、3.0.0-beta1至3.6.11版本和3.7.0-ea.1版本存在安全漏洞,该漏洞源于BasicAuth中间件存在时间差,可能导致用户名枚举。
CVSS Information
N/A
Vulnerability Type
N/A