CVE-2021-32813

Traefik is an HTTP reverse proxy and load balancer. Prior to version 2.4.13, there exists a potential header vulnerability in Traefik's handling of the Connection header. Active exploitation of this issue is unlikely, as it requires that a removed header would lead to a privilege escalation, however, the Traefik team has addressed this issue to prevent any potential abuse. If one has a chain of Traefik middlewares, and one of them sets a request header, then sending a request with a certain Connection header will cause it to be removed before the request is sent. In this case, the backend does not see the request header. A patch is available in version 2.4.13. There are no known workarounds aside from upgrading.

Published: Aug 4, 2021
Updated: May 9, 2024
CVE: CVE-2021-32813
GHSA: GHSA-m697-4v8f-55qg
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.1
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

CWEs:

CWE-913

Affected Software
References

Software	From	Fixed in
traefik / traefik	-	2.4.13
github.com/traefik/traefik/v2	-	2.4.13
github.com/traefik/traefik	-	1.7.30.x

Vulnerability Database

CVE-2021-32813

Deep Security Visibility Without the Complexity