x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2024-39321

[GoVulnBot]

Advisory CVE-2024-39321 references a vulnerability in the following Go modules:

Module
github.com/traefik/traefik

Description:
Traefik is an HTTP reverse proxy and load balancer. Versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3 have a vulnerability that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. Versions 2.11.6, 3.0.4, and 3.1.0-rc3 contain a patch for this issue. No known workarounds are available.

References:

• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-39321
• WEB: https://github.com/traefik/traefik/releases/tag/v2.11.6
• WEB: https://github.com/traefik/traefik/releases/tag/v3.0.4
• WEB: https://github.com/traefik/traefik/releases/tag/v3.1.0-rc3
• WEB: GHSA-gxrv-wf35-62w9

Cross references:

• Module github.com/traefik/traefik appears in issue x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2022-23632 #325 EFFECTIVELY_PRIVATE
• Module github.com/traefik/traefik appears in issue x/vulndb: potential Go vuln in github.com/traefik/traefik: GHSA-7h6j-2268-fhcm #808 NOT_IMPORTABLE
• Module github.com/traefik/traefik appears in issue x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2021-32813, GHSA-m697-4v8f-55qg #923 NOT_IMPORTABLE
• Module github.com/traefik/traefik appears in issue x/vulndb: potential Go vuln in github.com/traefik/traefik: GHSA-7v4p-328v-8v5g #2117 DEPENDENT_VULNERABILITY
• Module github.com/traefik/traefik appears in issue x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2023-47106 #2376 EFFECTIVELY_PRIVATE
• Module github.com/traefik/traefik appears in issue x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2023-47633 #2377 EFFECTIVELY_PRIVATE
• Module github.com/traefik/traefik appears in issue x/vulndb: potential Go vuln in github.com/traefik/traefik: GHSA-4vwx-54mw-vqfw #2722
• Module github.com/traefik/traefik appears in issue x/vulndb: potential Go vuln in github.com/traefik/traefik/v3: GHSA-7f4j-64p6-5h5v #2726
• Module github.com/traefik/traefik appears in issue x/vulndb: potential Go vuln in github.com/traefik/traefik: GHSA-f7cq-5v43-8pwp #2880
• Module github.com/traefik/traefik appears in issue x/vulndb: potential Go vuln in github.com/traefik/traefik: GHSA-7jmw-8259-q9jx #2917
• Module github.com/traefik/traefik appears in issue x/vulndb: potential Go vuln in github.com/traefik/traefik/v2: GHSA-rvj4-q8q5-8grf #2941

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/traefik/traefik
      vulnerable_at: 1.7.34
summary: CVE-2024-39321 in github.com/traefik/traefik
cves:
    - CVE-2024-39321
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-39321
    - web: https://github.com/traefik/traefik/releases/tag/v2.11.6
    - web: https://github.com/traefik/traefik/releases/tag/v3.0.4
    - web: https://github.com/traefik/traefik/releases/tag/v3.1.0-rc3
    - web: https://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9
source:
    id: CVE-2024-39321
    created: 2024-07-05T19:01:11.331696342Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/597158 mentions this issue: data/reports: add 7 unreviewed reports