CVE-2021-32813 - log back

CVE-2021-32813 edited at 04 Aug 2021 08:44:44
Severity
- Unknown
+ Low
Remote
- Unknown
+ Remote
Type
- Unknown
+ Privilege escalation
Description
+ Prior to version 2.4.13, there exists a potential header vulnerability in Traefik's handling of the Connection header. Active exploitation of this issue is unlikely, as it requires that a removed header would lead to a privilege escalation, however, the Traefik team has addressed this issue to prevent any potential abuse. If one has a chain of Traefik middlewares, and one of them sets a request header, then sending a request with a certain Connection header will cause it to be removed before the request is sent. In this case, the backend does not see the request header.
References
+ https://github.com/traefik/traefik/security/advisories/GHSA-m697-4v8f-55qg
+ https://github.com/traefik/traefik/pull/8319
+ https://github.com/traefik/traefik/commit/b386964abcd3322e9e975a63c8c8e774b9edadcf
Notes
CVE-2021-32813 created at 04 Aug 2021 08:42:25