Update module github.com/traefik/traefik/v2 to v2.11.15 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/traefik/traefik/v2	v2.11.10 -> v2.11.15

GitHub Vulnerability Alerts

CVE-2024-52003

Impact

There is a vulnerability in Traefik that allows the client to provide the X-Forwarded-Prefix header from an untrusted source.

Patches

• https://github.com/traefik/traefik/releases/tag/v2.11.14
• https://github.com/traefik/traefik/releases/tag/v3.2.1

Workarounds

No workaround.

For more information

If you have any questions or comments about this advisory, please open an issue.

Original Description

Summary

The previously reported open redirect (GHSA-6qq8-5wq3-86rp) is not fixed correctly. The safePrefix function can be tricked to return an absolute URL.

Details

The Traefik API dashboard component tries to validate that the value of the header X-Forwarded-Prefix is a site relative path:

http.Redirect(resp, req, safePrefix(req)+"/dashboard/", http.StatusFound)

func safePrefix(req *http.Request) string {
	prefix := req.Header.Get("X-Forwarded-Prefix")
	if prefix == "" {
		return ""
	}

	parse, err := url.Parse(prefix)
	if err != nil {
		return ""
	}

	return parse.Path
}

PoC

An attacker can bypass this by sending the following payload:

curl -v 'http://traefik.localhost' -H 'X-Forwarded-Prefix: %0d//a.com'
[...]
> HTTP/1.1 302 Found
> Location: //a.com/dashboard/

or similar:

curl -v 'http://traefik.localhost' -H 'X-Forwarded-Prefix: %2f%2fa.com'
[...]
> HTTP/1.1 302 Found
> Location: //a.com/dashboard/

Impact

Similar to the previously reported bug. In cache poisoning scenarios this may be exploitable.

GHSA-hxr6-2p24-hf98

There is a potential vulnerability in Traefik managing HTTP/3 connections.

More details in the CVE-2024-53259.

Patches

• https://github.com/traefik/traefik/releases/tag/v2.11.15
• https://github.com/traefik/traefik/releases/tag/v3.2.2

Workarounds

No workaround

For more information

If you have any questions or comments about this advisory, please open an issue.

---

Release Notes

traefik/traefik (github.com/traefik/traefik/v2)

v2.11.15

Compare Source

All Commits

Bug fixes:

• [acme] Update go-acme/lego to v4.20.4 (#​11295 by ldez)
• [http3] Update github.com/quic-go/quic-go to v0.48.2 (#​11320 by kevinpollet)

v2.11.14

Compare Source

All Commits

Bug fixes:

• [acme] Update go-acme/lego to v4.20.2 (#​11263 by ldez)
• [logs,server] Change level of peeking first byte error log to DEBUG (#​11254 by rtribotte)
• [middleware,server] Drop untrusted X-Forwarded-Prefix header (#​11253 by rtribotte)
• [server] Apply keepalive config to h2c entrypoints (#​11276 by davefu113)
• [service] Fix internal handlers ServiceBuilder composition (#​11281 by juliens)

Documentation:

• [accesslogs] Update access-logs.md, add examples for accesslog.format (#​11275 by bluepuma77)
• Fix the defaultRule CLI examples (#​11282 by kevinpollet)
• Fix spelling, grammar, and rephrase sections for clarity in some documentation pages (#​11280 by AntoineDeveloper)
• Fix absolute link in the migration guide (#​11269 by kevinpollet)
• Add X-Forwarded-Prefix to the migration guide (#​11267 by kevinpollet)
• Fix a small typo in entrypoints documentation (#​11261 by quiode)
• Add a warning about environment variables casing for static configuration (#​11226 by anchal00)
• Improve documentation on dashboard (#​11220 by mloiseleur)

v2.11.13

Compare Source

All Commits

Bug fixes:

• [middleware,service] Panic on aborted requests to properly close the connection (#​11129 by tonybart1337)

Documentation:

• Update business callouts (#​11217 by tomatokoolaid)

v2.11.12

Compare Source

All Commits

Bug fixes:

• [middleware] Bump github.com/klauspost/compress to dbd6c38 (#​11162 by kevinpollet)
• [webui] Upgrade to node 22.9 and yarn lock to fix vulnerabilities (#​11173 by kevinpollet)
• [webui] Adopt a layout for the large amount of entrypoint port numbers (#​11157 by framebassman)

Documentation:

• [accesslogs] Clarify that only header fields may be redacted in access-logs (#​11139 by mattbnz)
• Update business callout (#​11172 by tomatokoolaid)

v2.11.11

Compare Source

All Commits

Bug fixes:

• [acme] Ensure defaultGeneratedCert.main as Subject's CN (#​10581 by Lamatte)
• [middleware,authentication] Clean connection headers for forward auth request only (#​11095 by rtribotte)
• [middleware] Bump github.com/klauspost/compress to 8e14b1b (#​11141 by kevinpollet)
• [server] Rework condition to not log on timeout (#​11133 by rtribotte)
• [webui] Remove unused boot files from webui (#​11109 by michelheusschen)

Documentation:

• [accesslogs] Specify default format value for access log (#​11130 by darkweaver87)
• [api] Update API documentation to mention pagination (#​11115 by lyrandy)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 10 additional dependencies were updated

Details:

Package	Change
github.com/cloudflare/cloudflare-go	v0.104.0 -> v0.108.0
github.com/miekg/dns	v1.1.59 -> v1.1.62
golang.org/x/crypto	v0.27.0 -> v0.28.0
golang.org/x/net	v0.29.0 -> v0.30.0
golang.org/x/oauth2	v0.21.0 -> v0.23.0
golang.org/x/sys	v0.25.0 -> v0.26.0
golang.org/x/term	v0.24.0 -> v0.25.0
golang.org/x/text	v0.18.0 -> v0.19.0
golang.org/x/time	v0.6.0 -> v0.7.0
google.golang.org/protobuf	v1.34.2 -> v1.35.1