https://bugzilla.suse.com/show_bug.cgi?id=1232951 https://bugzilla.suse.com/show_bug.cgi?id=1232951#c2 --- Comment #2 from Alexandre Vicenzi <alexandre.vicenzi@suse.com> --- Traefik does not have a direct dependency on github.com/golang-jwt/jwt/v4. I have found the following uses: JWT library is a dependency of github.com/Azure/go-autorest/autorest, which is a dependency of go-acme/lego, which is a dependency of Traefik. JWT library is a dependency of github.com/yandex-cloud/go-sdk, which is a dependency of go-acme/lego, which is a dependency of Traefik. In both cases, this should only affect users of Let's Encrypt certificate resolver with Azure or Yander Cloud as a DNS challenge provider, but I did not find any calls to jwt.Parse and jwt.ParseWithClaims in the files that use this library. Given the nature of this dependency, it might take a while until all dependencies and sub-dependencies are updated in Traefik. I could not find the affected code being used, it seems that this CVE does not affect Traefik or its dependencies at this moment. Given the low score of this CVE, this fix is not critical. The version in the bug is set to Leap 15.5, Traefik is not even in Leap, only in Tumbleweed. -- You are receiving this mail because: You are on the CC list for the bug.