CVE-2023-47124: 
NixOS vulnerability analysis and mitigation

Traefik, an open source HTTP reverse proxy and load balancer, contains a vulnerability (CVE-2023-47124) in its HTTPChallenge configuration for Let's Encrypt TLS certificate generation and renewal. When configured to use the HTTPChallenge, the 50-second delay allowed for solving the challenge can be exploited by attackers to perform a slowloris attack. This vulnerability affects versions up to 2.10.5 and up to 3.0.0-beta4 (GitHub Advisory).

The vulnerability exists in the ACME HTTP challenge implementation where the delay authorized to solve the challenge is set to 50 seconds. This extended timeout period can be exploited through a slowloris-style attack, which is a type of denial of service attack that targets the way web servers allocate resources for maintaining connections. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.9 MEDIUM (Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) (NVD).

The exploitation of this vulnerability can lead to a denial of service condition, where attackers can keep server resources occupied for extended periods through slowloris-style attacks. This can potentially make the server unresponsive to legitimate requests when using the HTTPChallenge for Let's Encrypt certificate management (GitHub Advisory).

The vulnerability has been patched in versions 2.10.6 and 3.0.0-beta5. Users are advised to upgrade to these versions. For those unable to upgrade immediately, the recommended workaround is to replace the HTTPChallenge with either the TLSChallenge or the DNSChallenge (GitHub Advisory, GitHub Release).