{
  "threat_severity" : "Moderate",
  "public_date" : "2024-07-04T00:00:00Z",
  "bugzilla" : {
    "description" : "traefik: Bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes",
    "id" : "2296009",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2296009"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-639",
  "details" : [ "Traefik is an HTTP reverse proxy and load balancer. Versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3 have a vulnerability that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. Versions 2.11.6, 3.0.4, and 3.1.0-rc3 contain a patch for this issue. No known workarounds are available.", "An authorization bypass vulnerability was found in Traefik. This flaw allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses." ],
  "statement" : "The vulnerability in Traefik that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes, while notable, is categorized as moderate severity rather than important. This classification stems from the requirement for an attacker to leverage HTTP/3's early data feature and perform spoofed IP address manipulation to exploit the flaw. As a result, successful exploitation demands specific conditions, including network-level access and manipulation capabilities, which may not be trivial in many environments.",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Dev Spaces (RHOSDS) 3.23",
    "release_date" : "2025-09-15T00:00:00Z",
    "advisory" : "RHSA-2025:15847",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3.23::el9",
    "package" : "devspaces/traefik-rhel9:sha256:f17428eced9d6bec1eaaa1510b68250824d3ace2f66af7f31fbf7327ca11540c"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Affected",
    "package_name" : "devspaces/devspaces-rhel8-operator",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  }, {
    "product_name" : "Red Hat OpenShift GitOps",
    "fix_state" : "Affected",
    "package_name" : "openshift-gitops-1/argo-rollouts-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_gitops:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-39321\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-39321\nhttps://github.com/traefik/traefik/releases/tag/v2.11.6\nhttps://github.com/traefik/traefik/releases/tag/v3.0.4\nhttps://github.com/traefik/traefik/releases/tag/v3.1.0-rc3\nhttps://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9" ],
  "name" : "CVE-2024-39321",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}