Bug 2491710 (CVE-2023-54365)

Summary: CVE-2023-54365 github.com/traefik/traefik: net/http2: Traefik: Denial of Service via HTTP/2 Rapid Reset technique
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, abarbaro, akostadi, akoudelk, alizardo, amasferr, amctagga, anjoseph, anpicker, ansmith, anthomas, aoconnor, asatyam, bbrownin, bdettelb, bniver, bparees, chfoley, ckandaga, cmah, crizzo, dakwon, dhanak, diagrawa, dmayorov, doconnor, drosa, dschmidt, dsimansk, dymurray, eaguilar, ebaron, eborisov, eglynn, ehelms, erezende, fdeutsch, flucifre, ggainey, gmeno, gparvin, groman, hasun, ibolton, jburrell, jcantril, jchui, jeder, jfula, jhe, jjoyce, jkoehler, jlanda, jlledo, jmatthew, jmontleo, jolong, jowilson, jprabhak, jpretori, jschluet, juwatts, kingland, kshier, ktsao, lball, lbragsta, lchilton, lgamliel, lhh, lphiri, lwan, manissin, mbenjamin, mbocek, mburns, mgarciac, mhackett, mhulan, mnovotny, mrunge, mwringe, nboldt, ngough, nmoumoul, nyancey, oaljalju, ometelka, oramraz, osousa, pahickey, pantinor, pcreech, peholase, pgaikwad, pjindal, psrna, ptisnovs, pvasanth, rchan, rekumar, rfreiman, rgodfrey, rhaigner, rhel-process-autobot, rjohnson, rojacob, sabiswas, sakbas, sausingh, sbratsla, sdawley, sfeifer, simaishi, slucidi, smallamp, smullick, sostapov, sseago, stcannon, stirabos, swoodman, syedriko, teagle, thason, tmalecek, tsedmik, tzivkovi, vereddy, veshanka, vimartin, vkarehfa, vvoronko, watson-tool-maintainers, wenshen, whayutin, wtam, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Traefik's HTTP/2 request handling. A remote attacker can exploit this vulnerability by rapidly creating and canceling HTTP/2 streams. This can exhaust server resources, leading to a denial of service (DoS) and making the service unavailable to legitimate users. This issue is inherited from the Go standard library's HTTP/2 implementation, known as the 'Rapid Reset' technique.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-23 13:02:13 UTC 
Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inherited from the Go standard library's HTTP/2 implementation (CVE-2023-44487 / CVE-2023-39325, the 'Rapid Reset' technique). A remote attacker can rapidly create and cancel HTTP/2 streams to exhaust server resources and cause service unavailability.