{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-39321", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-21T18:15:22.263Z", "datePublished": "2024-07-05T17:32:06.688Z", "dateUpdated": "2024-08-02T04:19:20.719Z"}, "containers": {"cna": {"title": "Traefik vulnerable to bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9"}, {"name": "https://github.com/traefik/traefik/releases/tag/v2.11.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v2.11.6"}, {"name": "https://github.com/traefik/traefik/releases/tag/v3.0.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v3.0.4"}, {"name": "https://github.com/traefik/traefik/releases/tag/v3.1.0-rc3", "tags": ["x_refsource_MISC"], "url": "https://github.com/traefik/traefik/releases/tag/v3.1.0-rc3"}], "affected": [{"vendor": "traefik", "product": "traefik", "versions": [{"version": "< 2.11.6", "status": "affected"}, {"version": ">= 3.0.0-beta3, < 3.0.4", "status": "affected"}, {"version": ">= 3.1.0-rc1, < 3.1.0-rc3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-05T17:32:06.688Z"}, "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3 have a vulnerability that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. Versions 2.11.6, 3.0.4, and 3.1.0-rc3 contain a patch for this issue. No known workarounds are available."}], "source": {"advisory": "GHSA-gxrv-wf35-62w9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-05T20:07:02.660742Z", "id": "CVE-2024-39321", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T20:07:14.424Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:19:20.719Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9"}, {"name": "https://github.com/traefik/traefik/releases/tag/v2.11.6", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/traefik/traefik/releases/tag/v2.11.6"}, {"name": "https://github.com/traefik/traefik/releases/tag/v3.0.4", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/traefik/traefik/releases/tag/v3.0.4"}, {"name": "https://github.com/traefik/traefik/releases/tag/v3.1.0-rc3", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/traefik/traefik/releases/tag/v3.1.0-rc3"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-39321", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-05T20:07:02.660742Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T20:07:09.952Z"}}], "cna": {"title": "Traefik vulnerable to bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes", "source": {"advisory": "GHSA-gxrv-wf35-62w9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "traefik", "product": "traefik", "versions": [{"status": "affected", "version": "< 2.11.6"}, {"status": "affected", "version": ">= 3.0.0-beta3, < 3.0.4"}, {"status": "affected", "version": ">= 3.1.0-rc1, < 3.1.0-rc3"}]}], "references": [{"url": "https://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9", "name": "https://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v2.11.6", "name": "https://github.com/traefik/traefik/releases/tag/v2.11.6", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v3.0.4", "name": "https://github.com/traefik/traefik/releases/tag/v3.0.4", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/traefik/traefik/releases/tag/v3.1.0-rc3", "name": "https://github.com/traefik/traefik/releases/tag/v3.1.0-rc3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3 have a vulnerability that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. Versions 2.11.6, 3.0.4, and 3.1.0-rc3 contain a patch for this issue. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-05T17:32:06.688Z"}}}, "cveMetadata": {"cveId": "CVE-2024-39321", "state": "PUBLISHED", "dateUpdated": "2024-07-05T20:07:14.424Z", "dateReserved": "2024-06-21T18:15:22.263Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-07-05T17:32:06.688Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*", "matchCriteriaId": "C9D1F5C0-4B9B-4F4A-B8EC-CEE987D7CE06", "versionEndExcluding": "2.11.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*", "matchCriteriaId": "5FC9E015-376F-4323-8493-1067B1E506DC", "versionEndExcluding": "3.0.4", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:traefik:traefik:3.1.0:-:*:*:*:*:*:*", "matchCriteriaId": "26F0E6E9-13E6-4CEC-AC68-82DFF86AB3AC", "vulnerable": true}, {"criteria": "cpe:2.3:a:traefik:traefik:3.1.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "807C986B-A9D5-4516-BE4C-37AF99257592", "vulnerable": true}, {"criteria": "cpe:2.3:a:traefik:traefik:3.1.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "9CF1490E-811C-4531-A02A-1D189EDF0D5A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Traefik is an HTTP reverse proxy and load balancer. Versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3 have a vulnerability that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. Versions 2.11.6, 3.0.4, and 3.1.0-rc3 contain a patch for this issue. No known workarounds are available."}, {"lang": "es", "value": "Traefik es un proxy inverso HTTP y un equilibrador de carga. Las versiones anteriores a 2.11.6, 3.0.4 y 3.1.0-rc3 tienen una vulnerabilidad que permite eludir las listas de direcciones IP permitidas a trav\u00e9s de solicitudes de datos tempranas HTTP/3 en protocolos de enlace QUIC 0-RTT enviados con direcciones IP falsificadas. Las versiones 2.11.6, 3.0.4 y 3.1.0-rc3 contienen un parche para este problema. No hay soluciones conocidas disponibles."}], "id": "CVE-2024-39321", "lastModified": "2025-11-25T14:08:47.903", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "[email protected]", "type": "Secondary"}]}, "published": "2024-07-05T18:15:32.430", "references": [{"source": "[email protected]", "tags": ["Release Notes"], "url": "https://github.com/traefik/traefik/releases/tag/v2.11.6"}, {"source": "[email protected]", "tags": ["Release Notes"], "url": "https://github.com/traefik/traefik/releases/tag/v3.0.4"}, {"source": "[email protected]", "tags": ["Release Notes"], "url": "https://github.com/traefik/traefik/releases/tag/v3.1.0-rc3"}, {"source": "[email protected]", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/traefik/traefik/releases/tag/v2.11.6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/traefik/traefik/releases/tag/v3.0.4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/traefik/traefik/releases/tag/v3.1.0-rc3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "[email protected]", "type": "Secondary"}]}

{"bugzilla": {"description": "traefik: Bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes", "id": "2296009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2296009"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-639", "details": ["Traefik is an HTTP reverse proxy and load balancer. Versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3 have a vulnerability that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. Versions 2.11.6, 3.0.4, and 3.1.0-rc3 contain a patch for this issue. No known workarounds are available.", "An authorization bypass vulnerability was found in Traefik. This flaw allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-39321", "package_state": [{"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Affected", "package_name": "devspaces/devspaces-rhel8-operator", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Affected", "package_name": "devspaces/traefik-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/argo-rollouts-rhel8", "product_name": "Red Hat OpenShift GitOps"}], "public_date": "2024-07-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-39321\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-39321\nhttps://github.com/traefik/traefik/releases/tag/v2.11.6\nhttps://github.com/traefik/traefik/releases/tag/v3.0.4\nhttps://github.com/traefik/traefik/releases/tag/v3.1.0-rc3\nhttps://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9"], "statement": "The vulnerability in Traefik that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes, while notable, is categorized as moderate severity rather than important. This classification stems from the requirement for an attacker to leverage HTTP/3's early data feature and perform spoofed IP address manipulation to exploit the flaw. As a result, successful exploitation demands specific conditions, including network-level access and manipulation capabilities, which may not be trivial in many environments.", "threat_severity": "Moderate"}