You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
Traefik vulnerable to potential DDoS via ACME HTTPChallenge
Moderate severity
GitHub Reviewed
Published
Dec 4, 2023
in
traefik/traefik
•
Updated Nov 19, 2024
There is a potential vulnerability in Traefik managing the ACME HTTP challenge.
When Traefik is configured to use the HTTPChallenge to generate and renew the Let's Encrypt TLS certificates, the delay authorized to solve the challenge (50 seconds) can be exploited by attackers (slowloris attack).
Impact
There is a potential vulnerability in Traefik managing the ACME HTTP challenge.
When Traefik is configured to use the HTTPChallenge to generate and renew the Let's Encrypt TLS certificates, the delay authorized to solve the challenge (50 seconds) can be exploited by attackers (slowloris attack).
Patches
Workarounds
Replace the HTTPChallenge with the TLSChallenge or the DNSChallenge.
For more information
If you have any questions or comments about this advisory, please open an issue.
References