Back to KEVs

CVE-2021-32813

Drop Headers via Malicious Connection Header

Basic Information

CVE State
PUBLISHED
Reserved Date
May 12, 2021
Published Date
August 03, 2021
Last Updated
August 03, 2024
Vendor
traefik
Product
traefik
Description
Traefik is an HTTP reverse proxy and load balancer. Prior to version 2.4.13, there exists a potential header vulnerability in Traefik's handling of the Connection header. Active exploitation of this issue is unlikely, as it requires that a removed header would lead to a privilege escalation, however, the Traefik team has addressed this issue to prevent any potential abuse. If one has a chain of Traefik middlewares, and one of them sets a request header, then sending a request with a certain Connection header will cause it to be removed before the request is sent. In this case, the backend does not see the request header. A patch is available in version 2.4.13. There are no known workarounds aside from upgrading.

CVSS Scores

CVSS v3.1

4.8 - MEDIUM

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Exploit Status

Exploited in the Wild
Yes (2021-08-03 22:50:11 UTC) Source

References

https://github.com/traefik/traefik/security/advisories/GHSA-m697-4v8f-55qg https://github.com/traefik/traefik/pull/8319/commits/cbaf86a93014a969b8accf39301932c17d0d73f9 https://github.com/traefik/traefik/releases/tag/v2.4.13

Known Exploited Vulnerability Information

Source Added Date
CVE 2021-08-03 22:50:11 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel