x/vulndb: potential Go vuln in github.com/traefik/traefik: GHSA-m697-4v8f-55qg

[GoVulnBot]

In GitHub Security Advisory GHSA-m697-4v8f-55qg, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/traefik/traefik		<= 1.7.30

Cross references:

• CVE-2021-32813 appears in issue x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2021-32813, GHSA-m697-4v8f-55qg #923 NOT_IMPORTABLE
• GHSA-m697-4v8f-55qg appears in issue x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2021-32813, GHSA-m697-4v8f-55qg #923 NOT_IMPORTABLE

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: TODO
    versions:
      - {}
    packages:
      - package: github.com/traefik/traefik
  - module: TODO
    versions:
      - fixed: 2.4.13
    packages:
      - package: github.com/traefik/traefik/v2
description: |
    # Impact

    There exists a potential header vulnerability in Traefik's handling of the Connection header. Active exploitation of this issue is unlikely, as it requires that a removed header would lead to a privilege escalation, however, the Traefik team has addressed this issue to prevent any potential abuse.

    # Details

    If you have a chain of Traefik middlewares, and one of them sets a request header `Important-Security-Header`, then sending a request with the following Connection header will cause it to be removed before the request was sent:

    ```
    curl 'https://example.com' -H "Connection: Important-Security-Header" -0
    ```

    In this case, the backend does not see the request header `Important-Security-Header`.

    # Patches

    Traefik v2.4.x: https://github.com/traefik/traefik/releases/tag/v2.4.13

    # Workarounds

    No.

    # For more information

    If you have any questions or comments about this advisory, [open an issue](https://github.com/traefik/traefik/issues).
cves:
  - CVE-2021-32813
ghsas:
  - GHSA-m697-4v8f-55qg

[tatianab]

Duplicate of #923