CVE-2024-45410: 
NixOS vulnerability analysis and mitigation

CVE-2024-45410 is a critical vulnerability affecting Traefik, a golang Cloud Native Application Proxy. The vulnerability was discovered and disclosed on September 19, 2024, affecting versions prior to 2.11.9 and 3.1.3. The issue arises when Traefik processes HTTP requests, where certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added before request routing. The vulnerability allows attackers to remove or manipulate these headers through HTTP/1.1 behavior that enables headers to be defined as hop-by-hop via the HTTP Connection header (GHSA Advisory, NVD).

The vulnerability has received a CVSS v3.1 score of 9.8 (Critical) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The technical exploit involves manipulating the HTTP Connection header to remove or modify custom headers added by Traefik. For example, by setting 'Connection: close, X-Forwarded-Host', an attacker can remove the X-Forwarded-Host header. The vulnerability affects multiple headers including X-Forwarded-Host, X-Forwarded-Port, X-Forwarded-Proto, X-Forwarded-Server, X-Real-Ip, X-Forwarded-Tls-Client-Cert, and X-Forwarded-Tls-Client-Cert-Info (GHSA Advisory).

The vulnerability affects all applications that trust the custom headers set by Traefik. In scenarios where backend applications trust Traefik to validate client certificates through the X-Forwarded-Tls-Client-Cert header without additional validation, attackers could potentially achieve privilege escalation by injecting invalid certificates. Additionally, if backend applications use any of the affected custom headers for security-sensitive operations, the ability to remove or modify these headers could lead to access control bypass (GHSA Advisory).

The vulnerability has been patched in Traefik versions 2.11.9 and 3.1.3. There are no known workarounds for this vulnerability, and immediate updates are strongly recommended for all affected installations (CERT-EU, GHSA Advisory).