Skip to content

Traefik has unexpected behavior with IPv4-mapped IPv6 addresses

Moderate severity GitHub Reviewed Published Jun 11, 2024 in traefik/traefik • Updated Jun 17, 2024

Package

gomod github.com/traefik/traefik (Go)

Affected versions

< 2.11.4

Patched versions

2.11.4
gomod github.com/traefik/traefik/v2 (Go)
< 2.11.4
2.11.4
gomod github.com/traefik/traefik/v3 (Go)
>= 3.0.0-beta3, < 3.0.2
3.0.2

Description

Impact

There is a vulnerability in Go managing various Is methods (IsPrivate, IsLoopback, etc) for IPv4-mapped IPv6 addresses.

They didn't work as expected returning false for addresses which would return true in their traditional IPv4 forms.

References

Patches

Workarounds

No workaround.

For more information

If you have any questions or comments about this advisory, please open an issue.

References

@nmengin nmengin published to traefik/traefik Jun 11, 2024
Published to the GitHub Advisory Database Jun 11, 2024
Reviewed Jun 11, 2024
Last updated Jun 17, 2024

Severity

Moderate

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-7jmw-8259-q9jx

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.