Vulnerabilites related to Apache Software Foundation - Apache Traffic Server
CVE-2017-7671 (GCVE-0-2017-7671)
Vulnerability from cvelistv5
Published
2018-02-27 20:00
Modified
2024-09-16 22:09
Severity ?
EPSS score ?
Summary
There is a DOS attack vulnerability in Apache Traffic Server (ATS) 5.2.0 to 5.3.2, 6.0.0 to 6.2.0, and 7.0.0 with the TLS handshake. This issue can cause the server to coredump.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.debian.org/security/2018/dsa-4128 | vendor-advisory, x_refsource_DEBIAN | |
| https://lists.apache.org/thread.html/203bdcf9bbb718f3dc6f7aaf3e2af632474d51fa9e7bfb7832729905%40%3Cdev.trafficserver.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 5.2.0 to 5.3.2 Version: 6.0.0 to 6.2.0 Version: 7.0.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T16:12:27.757Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "DSA-4128", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2018/dsa-4128", }, { name: "[dev] 20180227 [ANNOUNCE] Apache Traffic Server vulnerability with TLS handshake - CVE-2017-7671", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/203bdcf9bbb718f3dc6f7aaf3e2af632474d51fa9e7bfb7832729905%40%3Cdev.trafficserver.apache.org%3E", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "5.2.0 to 5.3.2", }, { status: "affected", version: "6.0.0 to 6.2.0", }, { status: "affected", version: "7.0.0", }, ], }, ], datePublic: "2018-02-27T00:00:00", descriptions: [ { lang: "en", value: "There is a DOS attack vulnerability in Apache Traffic Server (ATS) 5.2.0 to 5.3.2, 6.0.0 to 6.2.0, and 7.0.0 with the TLS handshake. This issue can cause the server to coredump.", }, ], problemTypes: [ { descriptions: [ { description: "Information Disclosure", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-03-03T10:57:01", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { name: "DSA-4128", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2018/dsa-4128", }, { name: "[dev] 20180227 [ANNOUNCE] Apache Traffic Server vulnerability with TLS handshake - CVE-2017-7671", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/203bdcf9bbb718f3dc6f7aaf3e2af632474d51fa9e7bfb7832729905%40%3Cdev.trafficserver.apache.org%3E", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", DATE_PUBLIC: "2018-02-27T00:00:00", ID: "CVE-2017-7671", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Traffic Server", version: { version_data: [ { version_value: "5.2.0 to 5.3.2", }, { version_value: "6.0.0 to 6.2.0", }, { version_value: "7.0.0", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "There is a DOS attack vulnerability in Apache Traffic Server (ATS) 5.2.0 to 5.3.2, 6.0.0 to 6.2.0, and 7.0.0 with the TLS handshake. This issue can cause the server to coredump.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Information Disclosure", }, ], }, ], }, references: { reference_data: [ { name: "DSA-4128", refsource: "DEBIAN", url: "https://www.debian.org/security/2018/dsa-4128", }, { name: "[dev] 20180227 [ANNOUNCE] Apache Traffic Server vulnerability with TLS handshake - CVE-2017-7671", refsource: "MLIST", url: "https://lists.apache.org/thread.html/203bdcf9bbb718f3dc6f7aaf3e2af632474d51fa9e7bfb7832729905@%3Cdev.trafficserver.apache.org%3E", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2017-7671", datePublished: "2018-02-27T20:00:00Z", dateReserved: "2017-04-11T00:00:00", dateUpdated: "2024-09-16T22:09:57.141Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2022-47184 (GCVE-0-2022-47184)
Vulnerability from cvelistv5
Published
2023-06-14 07:42
Modified
2025-02-13 16:33
Severity ?
EPSS score ?
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: 8.0.0 to 9.2.0.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 8.0.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T14:47:29.416Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/tns2b4khyyncgs5v5p9y35pobg9z2bvs", }, { tags: [ "x_transferred", ], url: "https://www.debian.org/security/2023/dsa-5435", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6GDCBNFDDW6ULW7CACJCPENI7BVDHM5O/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGWXNAEEVRUZ5JG4EJAIIFC3CI7LFETV/", }, { tags: [ "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2023/06/msg00037.html", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "traffic_server", vendor: "apache", versions: [ { lessThanOrEqual: "8.1.6", status: "affected", version: "8.0.0", versionType: "custom", }, { lessThanOrEqual: "9.2.0", status: "affected", version: "9.0.0", versionType: "custom", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, }, { other: { content: { id: "CVE-2022-47184", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-09T13:43:40.953938Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-09T13:52:18.342Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "9.2.0", status: "affected", version: "8.0.0", versionType: "8.0.0 to 9.2.0", }, ], }, ], credits: [ { lang: "en", type: "reporter", value: "Martin O'Neal", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Traffic Server.<p>This issue affects Apache Traffic Server: 8.0.0 to 9.2.0.</p>", }, ], value: "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: 8.0.0 to 9.2.0.", }, ], metrics: [ { other: { content: { text: "low", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-200", description: "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-06-30T01:06:10.806Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/tns2b4khyyncgs5v5p9y35pobg9z2bvs", }, { url: "https://www.debian.org/security/2023/dsa-5435", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6GDCBNFDDW6ULW7CACJCPENI7BVDHM5O/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGWXNAEEVRUZ5JG4EJAIIFC3CI7LFETV/", }, { url: "https://lists.debian.org/debian-lts-announce/2023/06/msg00037.html", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Traffic Server: The TRACE method can be use to disclose network information", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2022-47184", datePublished: "2023-06-14T07:42:36.126Z", dateReserved: "2022-12-12T15:47:37.813Z", dateUpdated: "2025-02-13T16:33:59.589Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-27577 (GCVE-0-2021-27577)
Vulnerability from cvelistv5
Published
2021-06-29 11:45
Modified
2024-08-03 21:26
Severity ?
EPSS score ?
Summary
Incorrect handling of url fragment vulnerability of Apache Traffic Server allows an attacker to poison the cache. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cusers.trafficserver.apache.org%3E | x_refsource_MISC | |
| https://www.debian.org/security/2021/dsa-4957 | vendor-advisory, x_refsource_DEBIAN |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T21:26:09.764Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cusers.trafficserver.apache.org%3E", }, { name: "DSA-4957", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2021/dsa-4957", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1", }, ], }, ], descriptions: [ { lang: "en", value: "Incorrect handling of url fragment vulnerability of Apache Traffic Server allows an attacker to poison the cache. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-444", description: "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-08-14T14:06:13", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cusers.trafficserver.apache.org%3E", }, { name: "DSA-4957", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2021/dsa-4957", }, ], source: { discovery: "UNKNOWN", }, title: "Incorrect handling of url fragment leads to cache poisoning", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2021-27577", STATE: "PUBLIC", TITLE: "Incorrect handling of url fragment leads to cache poisoning", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Traffic Server", version: { version_data: [ { version_name: "Apache Traffic Server", version_value: "7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Incorrect handling of url fragment vulnerability of Apache Traffic Server allows an attacker to poison the cache. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: [ {}, ], problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cusers.trafficserver.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cusers.trafficserver.apache.org%3E", }, { name: "DSA-4957", refsource: "DEBIAN", url: "https://www.debian.org/security/2021/dsa-4957", }, ], }, source: { discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2021-27577", datePublished: "2021-06-29T11:45:19", dateReserved: "2021-02-23T00:00:00", dateUpdated: "2024-08-03T21:26:09.764Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-37149 (GCVE-0-2021-37149)
Vulnerability from cvelistv5
Published
2021-11-03 15:20
Modified
2024-08-04 01:16
Severity ?
EPSS score ?
Summary
Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.1.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/k01797hyncx53659wr3o72s5cvkc3164 | x_refsource_MISC | |
| https://www.debian.org/security/2022/dsa-5153 | vendor-advisory, x_refsource_DEBIAN |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 8.0.0 to 8.1.2 and 9.0.0 to 9.1.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T01:16:03.937Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread/k01797hyncx53659wr3o72s5cvkc3164", }, { name: "DSA-5153", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2022/dsa-5153", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "8.0.0 to 8.1.2 and 9.0.0 to 9.1.0", }, ], }, ], credits: [ { lang: "en", value: "Apache Traffic Server would like to thank Mattias Grenfeldt and Asta Olofsson for reporting this issue", }, ], descriptions: [ { lang: "en", value: "Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.1.0.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-20", description: "CWE-20 Improper Input Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-05-31T10:06:43", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread/k01797hyncx53659wr3o72s5cvkc3164", }, { name: "DSA-5153", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2022/dsa-5153", }, ], source: { discovery: "UNKNOWN", }, title: "Request Smuggling - multiple attacks", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2021-37149", STATE: "PUBLIC", TITLE: "Request Smuggling - multiple attacks", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Traffic Server", version: { version_data: [ { version_value: "8.0.0 to 8.1.2 and 9.0.0 to 9.1.0", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, credit: [ { lang: "eng", value: "Apache Traffic Server would like to thank Mattias Grenfeldt and Asta Olofsson for reporting this issue", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.1.0.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: [ {}, ], problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-20 Improper Input Validation", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread/k01797hyncx53659wr3o72s5cvkc3164", refsource: "MISC", url: "https://lists.apache.org/thread/k01797hyncx53659wr3o72s5cvkc3164", }, { name: "DSA-5153", refsource: "DEBIAN", url: "https://www.debian.org/security/2022/dsa-5153", }, ], }, source: { discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2021-37149", datePublished: "2021-11-03T15:20:22", dateReserved: "2021-07-21T00:00:00", dateUpdated: "2024-08-04T01:16:03.937Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2022-28129 (GCVE-0-2022-28129)
Vulnerability from cvelistv5
Published
2022-08-10 00:00
Modified
2024-08-03 05:48
Severity ?
EPSS score ?
Summary
Improper Input Validation vulnerability in HTTP/1.1 header parsing of Apache Traffic Server allows an attacker to send invalid headers. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 8.0.0 to 9.1.2 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T05:48:36.561Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21", }, { name: "DSA-5206", tags: [ "vendor-advisory", "x_transferred", ], url: "https://www.debian.org/security/2022/dsa-5206", }, { name: "FEDORA-2022-9832c0c04b", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CJ67IWD5PRJUOIYIDJRUG3UMS2UF4X4J/", }, { name: "FEDORA-2022-23043f5a0b", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZCSBQBYPOZSWS5LCOAQ6LJLRLXFIAW5A/", }, { name: "[debian-lts-announce] 20230123 [SECURITY] [DLA 3279-1] trafficserver security update", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2023/01/msg00019.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "8.0.0 to 9.1.2", }, ], }, ], credits: [ { lang: "en", value: "Apache Traffic Server would like to thank Zhang Zeyu for reporting this issue.", }, ], descriptions: [ { lang: "en", value: "Improper Input Validation vulnerability in HTTP/1.1 header parsing of Apache Traffic Server allows an attacker to send invalid headers. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-20", description: "CWE-20 Improper Input Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-01-23T00:00:00", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { url: "https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21", }, { name: "DSA-5206", tags: [ "vendor-advisory", ], url: "https://www.debian.org/security/2022/dsa-5206", }, { name: "FEDORA-2022-9832c0c04b", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CJ67IWD5PRJUOIYIDJRUG3UMS2UF4X4J/", }, { name: "FEDORA-2022-23043f5a0b", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZCSBQBYPOZSWS5LCOAQ6LJLRLXFIAW5A/", }, { name: "[debian-lts-announce] 20230123 [SECURITY] [DLA 3279-1] trafficserver security update", tags: [ "mailing-list", ], url: "https://lists.debian.org/debian-lts-announce/2023/01/msg00019.html", }, ], source: { discovery: "UNKNOWN", }, title: " Insufficient Validation of HTTP/1.x Headers", x_generator: { engine: "Vulnogram 0.0.9", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2022-28129", datePublished: "2022-08-10T00:00:00", dateReserved: "2022-03-28T00:00:00", dateUpdated: "2024-08-03T05:48:36.561Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2024-56202 (GCVE-0-2024-56202)
Vulnerability from cvelistv5
Published
2025-03-06 11:09
Modified
2025-03-06 15:38
Severity ?
EPSS score ?
Summary
Expected Behavior Violation vulnerability in Apache Traffic Server.
This issue affects Apache Traffic Server: from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3.
Users are recommended to upgrade to versions 9.2.9 or 10.0.4 or newer, which fixes the issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/btofzws2yqskk2n7f01r3l1819x01023 | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 9.0.0 ≤ 9.2.8 Version: 10.0.0 ≤ 10.0.3 |
{ containers: { adp: [ { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, }, { other: { content: { id: "CVE-2024-56202", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-06T15:38:08.091501Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-06T15:38:27.816Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "9.2.8", status: "affected", version: "9.0.0", versionType: "semver", }, { lessThanOrEqual: "10.0.3", status: "affected", version: "10.0.0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "reporter", value: "David Carlin", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>Expected Behavior Violation vulnerability in Apache Traffic Server.</p><p>This issue affects Apache Traffic Server: from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3.</p><p>Users are recommended to upgrade to versions 9.2.9 or 10.0.4 or newer, which fixes the issue.</p>", }, ], value: "Expected Behavior Violation vulnerability in Apache Traffic Server.\n\nThis issue affects Apache Traffic Server: from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3.\n\nUsers are recommended to upgrade to versions 9.2.9 or 10.0.4 or newer, which fixes the issue.", }, ], metrics: [ { other: { content: { text: "moderate", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-440", description: "CWE-440 Expected Behavior Violation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-06T11:09:11.632Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/btofzws2yqskk2n7f01r3l1819x01023", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Traffic Server: Expect header field can unreasonably retain resource", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2024-56202", datePublished: "2025-03-06T11:09:11.632Z", dateReserved: "2024-12-18T18:32:31.122Z", dateUpdated: "2025-03-06T15:38:27.816Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2016-5396 (GCVE-0-2016-5396)
Vulnerability from cvelistv5
Published
2017-04-17 18:00
Modified
2024-08-06 01:00
Severity ?
EPSS score ?
Summary
Apache Traffic Server 6.0.0 to 6.2.0 are affected by an HPACK Bomb Attack.
References
| ▼ | URL | Tags |
|---|---|---|
| https://issues.apache.org/jira/browse/TS-5019 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/97945 | vdb-entry, x_refsource_BID | |
| http://www.securitytracker.com/id/1038275 | vdb-entry, x_refsource_SECTRACK |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 6.0.0 to 6.2.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T01:00:59.916Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://issues.apache.org/jira/browse/TS-5019", }, { name: "97945", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/97945", }, { name: "1038275", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1038275", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "6.0.0 to 6.2.0", }, ], }, ], datePublic: "2017-01-20T00:00:00", descriptions: [ { lang: "en", value: "Apache Traffic Server 6.0.0 to 6.2.0 are affected by an HPACK Bomb Attack.", }, ], problemTypes: [ { descriptions: [ { description: "DoS attack", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-07-10T09:57:01", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://issues.apache.org/jira/browse/TS-5019", }, { name: "97945", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/97945", }, { name: "1038275", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1038275", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2016-5396", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Traffic Server", version: { version_data: [ { version_value: "6.0.0 to 6.2.0", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Apache Traffic Server 6.0.0 to 6.2.0 are affected by an HPACK Bomb Attack.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "DoS attack", }, ], }, ], }, references: { reference_data: [ { name: "https://issues.apache.org/jira/browse/TS-5019", refsource: "CONFIRM", url: "https://issues.apache.org/jira/browse/TS-5019", }, { name: "97945", refsource: "BID", url: "http://www.securityfocus.com/bid/97945", }, { name: "1038275", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1038275", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2016-5396", datePublished: "2017-04-17T18:00:00", dateReserved: "2016-06-10T00:00:00", dateUpdated: "2024-08-06T01:00:59.916Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-38522 (GCVE-0-2023-38522)
Vulnerability from cvelistv5
Published
2024-07-26 09:11
Modified
2024-08-13 08:46
Severity ?
EPSS score ?
Summary
Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable.
This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.
Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0 | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 8.0.0 ≤ 8.1.10 Version: 9.0.0 ≤ 9.2.4 |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:apache:traffic_server:8.0.0:*:*:*:*:*:*:*", ], defaultStatus: "unaffected", product: "traffic_server", vendor: "apache", versions: [ { lessThanOrEqual: "8.1.10", status: "affected", version: "8.0.0", versionType: "semver", }, ], }, { cpes: [ "cpe:2.3:a:apache:traffic_server:9.0.0:*:*:*:*:*:*:*", ], defaultStatus: "unaffected", product: "traffic_server", vendor: "apache", versions: [ { lessThanOrEqual: "9.2.4", status: "affected", version: "9.0.0", versionType: "semver", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, }, { other: { content: { id: "CVE-2023-38522", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-07-26T13:37:29.991882Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-86", description: "CWE-86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-07-26T13:37:33.033Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T17:46:55.187Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "8.1.10", status: "affected", version: "8.0.0", versionType: "semver", }, { lessThanOrEqual: "9.2.4", status: "affected", version: "9.0.0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Ben Kallus", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable.</p><p>This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.</p><p>Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.</p>", }, ], value: "Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable.\n\nThis issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.\n\nUsers are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.", }, ], metrics: [ { other: { content: { text: "important", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-444", description: "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-08-13T08:46:42.693Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Traffic Server: Incomplete field name check allows request smuggling", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2023-38522", datePublished: "2024-07-26T09:11:20.419Z", dateReserved: "2023-07-18T19:58:23.902Z", dateUpdated: "2024-08-13T08:46:42.693Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-37148 (GCVE-0-2021-37148)
Vulnerability from cvelistv5
Published
2021-11-03 15:20
Modified
2024-08-04 01:16
Severity ?
EPSS score ?
Summary
Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.0.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/k01797hyncx53659wr3o72s5cvkc3164 | x_refsource_MISC | |
| https://www.debian.org/security/2022/dsa-5153 | vendor-advisory, x_refsource_DEBIAN |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 8.0.0 to 8.1.2 and 9.0.0 to 9.0.1 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T01:16:03.219Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread/k01797hyncx53659wr3o72s5cvkc3164", }, { name: "DSA-5153", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2022/dsa-5153", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "8.0.0 to 8.1.2 and 9.0.0 to 9.0.1", }, ], }, ], credits: [ { lang: "en", value: "Apache Traffic Server would like to thank Mattias Grenfeldt and Asta Olofsson for reporting this issue", }, ], descriptions: [ { lang: "en", value: "Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.0.1.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-20", description: "CWE-20 Improper Input Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-05-31T10:06:42", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread/k01797hyncx53659wr3o72s5cvkc3164", }, { name: "DSA-5153", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2022/dsa-5153", }, ], source: { discovery: "UNKNOWN", }, title: "Request Smuggling - transfer encoding validation", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2021-37148", STATE: "PUBLIC", TITLE: "Request Smuggling - transfer encoding validation", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Traffic Server", version: { version_data: [ { version_value: "8.0.0 to 8.1.2 and 9.0.0 to 9.0.1", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, credit: [ { lang: "eng", value: "Apache Traffic Server would like to thank Mattias Grenfeldt and Asta Olofsson for reporting this issue", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.0.1.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: [ {}, ], problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-20 Improper Input Validation", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread/k01797hyncx53659wr3o72s5cvkc3164", refsource: "MISC", url: "https://lists.apache.org/thread/k01797hyncx53659wr3o72s5cvkc3164", }, { name: "DSA-5153", refsource: "DEBIAN", url: "https://www.debian.org/security/2022/dsa-5153", }, ], }, source: { discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2021-37148", datePublished: "2021-11-03T15:20:20", dateReserved: "2021-07-21T00:00:00", dateUpdated: "2024-08-04T01:16:03.219Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2022-25763 (GCVE-0-2022-25763)
Vulnerability from cvelistv5
Published
2022-08-10 05:50
Modified
2024-08-03 04:49
Severity ?
EPSS score ?
Summary
Improper Input Validation vulnerability in HTTP/2 request validation of Apache Traffic Server allows an attacker to create smuggle or cache poison attacks. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21 | x_refsource_MISC | |
| https://www.debian.org/security/2022/dsa-5206 | vendor-advisory, x_refsource_DEBIAN | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CJ67IWD5PRJUOIYIDJRUG3UMS2UF4X4J/ | vendor-advisory, x_refsource_FEDORA | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZCSBQBYPOZSWS5LCOAQ6LJLRLXFIAW5A/ | vendor-advisory, x_refsource_FEDORA |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 8.0.0 to 9.1.2 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T04:49:43.567Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21", }, { name: "DSA-5206", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2022/dsa-5206", }, { name: "FEDORA-2022-9832c0c04b", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CJ67IWD5PRJUOIYIDJRUG3UMS2UF4X4J/", }, { name: "FEDORA-2022-23043f5a0b", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZCSBQBYPOZSWS5LCOAQ6LJLRLXFIAW5A/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "8.0.0 to 9.1.2", }, ], }, ], credits: [ { lang: "en", value: "Apache Traffic Server would like to thank Mazakatsu Kitajo, Dhana Sekaran, and Zhang Zeyu for reporting this issue.", }, ], descriptions: [ { lang: "en", value: "Improper Input Validation vulnerability in HTTP/2 request validation of Apache Traffic Server allows an attacker to create smuggle or cache poison attacks. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-444", description: "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-07-12T10:08:45.458Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21", }, { name: "DSA-5206", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2022/dsa-5206", }, { name: "FEDORA-2022-9832c0c04b", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CJ67IWD5PRJUOIYIDJRUG3UMS2UF4X4J/", }, { name: "FEDORA-2022-23043f5a0b", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZCSBQBYPOZSWS5LCOAQ6LJLRLXFIAW5A/", }, ], source: { discovery: "UNKNOWN", }, title: "Improper input validation on HTTP/2 headers ", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2022-25763", STATE: "PUBLIC", TITLE: "Improper input validation on HTTP/2 headers ", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Traffic Server", version: { version_data: [ { version_value: "8.0.0 to 9.1.2", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, credit: [ { lang: "eng", value: "Apache Traffic Server would like to thank Mazakatsu Kitajo, Tony Regins, and Zhang Zeyu for reporting this issue.", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Improper Input Validation vulnerability in HTTP/2 request validation of Apache Traffic Server allows an attacker to create smuggle or cache poison attacks. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: [ {}, ], problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21", refsource: "MISC", url: "https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21", }, { name: "DSA-5206", refsource: "DEBIAN", url: "https://www.debian.org/security/2022/dsa-5206", }, { name: "FEDORA-2022-9832c0c04b", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CJ67IWD5PRJUOIYIDJRUG3UMS2UF4X4J/", }, { name: "FEDORA-2022-23043f5a0b", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZCSBQBYPOZSWS5LCOAQ6LJLRLXFIAW5A/", }, ], }, source: { discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2022-25763", datePublished: "2022-08-10T05:50:21", dateReserved: "2022-02-22T00:00:00", dateUpdated: "2024-08-03T04:49:43.567Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2024-38479 (GCVE-0-2024-38479)
Vulnerability from cvelistv5
Published
2024-11-14 09:52
Modified
2024-11-14 18:53
Severity ?
EPSS score ?
Summary
Improper Input Validation vulnerability in Apache Traffic Server.
This issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from 9.0.0 through 9.2.5.
Users are recommended to upgrade to version 9.2.6, which fixes the issue, or 10.0.2, which does not have the issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/y15fh6c7kyqvzm0f9odw7c5jh4r4np0y | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 8.0.0 ≤ 8.1.11 Version: 9.0.0 ≤ 9.2.5 |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:apache_software_foundation:apache_traffic_server:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "apache_traffic_server", vendor: "apache_software_foundation", versions: [ { lessThanOrEqual: "8.1.11", status: "affected", version: "8.0.0", versionType: "semver", }, { lessThanOrEqual: "9.2.5", status: "affected", version: "9.0.0", versionType: "custom", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, }, { other: { content: { id: "CVE-2024-38479", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-11-14T18:51:08.166332Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-11-14T18:53:32.003Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "8.1.11", status: "affected", version: "8.0.0", versionType: "semver", }, { lessThanOrEqual: "9.2.5", status: "affected", version: "9.0.0", versionType: "semver", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>Improper Input Validation vulnerability in Apache Traffic Server.</p><p>This issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from 9.0.0 through 9.2.5.</p><p>Users are recommended to upgrade to version 9.2.6, which fixes the issue, or 10.0.2, which does not have the issue.</p>", }, ], value: "Improper Input Validation vulnerability in Apache Traffic Server.\n\nThis issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from 9.0.0 through 9.2.5.\n\nUsers are recommended to upgrade to version 9.2.6, which fixes the issue, or 10.0.2, which does not have the issue.", }, ], metrics: [ { other: { content: { text: "moderate", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-20", description: "CWE-20 Improper Input Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-11-14T09:52:14.291Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/y15fh6c7kyqvzm0f9odw7c5jh4r4np0y", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Traffic Server: Cache key plugin is vulnerable to cache poisoning attack", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2024-38479", datePublished: "2024-11-14T09:52:14.291Z", dateReserved: "2024-06-17T18:52:58.287Z", dateUpdated: "2024-11-14T18:53:32.003Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-33934 (GCVE-0-2023-33934)
Vulnerability from cvelistv5
Published
2023-08-09 06:58
Modified
2025-02-13 16:55
Severity ?
EPSS score ?
Summary
Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: through 9.2.1.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 0 ≤ 9.2.1 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T15:54:13.403Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/jsl6dfdgs1mjjo1mbtyflyjr7xftswhc", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BOTOM2MFKOLK46Q3BQHO662HTPZFRQUC/", }, { tags: [ "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2023/09/msg00042.html", }, { tags: [ "x_transferred", ], url: "https://www.debian.org/security/2023/dsa-5549", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "traffic_server", vendor: "apache", versions: [ { lessThanOrEqual: "8.1.7", status: "affected", version: "8.0.0", versionType: "custom", }, { lessThanOrEqual: "9.2.1", status: "affected", version: "9.0.0", versionType: "custom", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 9.1, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, }, { other: { content: { id: "CVE-2023-33934", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-10-01T18:29:05.853682Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-01T18:31:34.304Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "9.2.1", status: "affected", version: "0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Bahruz Jabiyev, Anthony Gavazzi, Engin Kirda, Kaan Onarlioglu, Adi Peleg, Harvey Tuch", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server.<p>This issue affects Apache Traffic Server: through 9.2.1.</p>", }, ], value: "Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: through 9.2.1.", }, ], metrics: [ { other: { content: { text: "important", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-444", description: "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-11-06T02:06:30.092Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/jsl6dfdgs1mjjo1mbtyflyjr7xftswhc", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BOTOM2MFKOLK46Q3BQHO662HTPZFRQUC/", }, { url: "https://lists.debian.org/debian-lts-announce/2023/09/msg00042.html", }, { url: "https://www.debian.org/security/2023/dsa-5549", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Traffic Server: Differential fuzzing for HTTP request parsing discrepancies", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2023-33934", datePublished: "2023-08-09T06:58:06.516Z", dateReserved: "2023-05-23T21:05:43.535Z", dateUpdated: "2025-02-13T16:55:12.908Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2024-38311 (GCVE-0-2024-38311)
Vulnerability from cvelistv5
Published
2025-03-06 11:34
Modified
2025-03-06 15:35
Severity ?
EPSS score ?
Summary
Improper Input Validation vulnerability in Apache Traffic Server.
This issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3.
Users are recommended to upgrade to version 9.2.9 or 10.0.4, which fixes the issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/btofzws2yqskk2n7f01r3l1819x01023 | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 8.0.0 ≤ 8.1.11 Version: 9.0.0 ≤ 9.2.8 Version: 10.0.0 ≤ 10.0.3 |
{ containers: { adp: [ { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, }, { other: { content: { id: "CVE-2024-38311", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-06T15:35:26.697946Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-06T15:35:49.759Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "8.1.11", status: "affected", version: "8.0.0", versionType: "semver", }, { lessThanOrEqual: "9.2.8", status: "affected", version: "9.0.0", versionType: "semver", }, { lessThanOrEqual: "10.0.3", status: "affected", version: "10.0.0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "reporter", value: "Ben Kallus", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>Improper Input Validation vulnerability in Apache Traffic Server.</p><p>This issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3.</p><p>Users are recommended to upgrade to version 9.2.9 or 10.0.4, which fixes the issue.</p>", }, ], value: "Improper Input Validation vulnerability in Apache Traffic Server.\n\nThis issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3.\n\nUsers are recommended to upgrade to version 9.2.9 or 10.0.4, which fixes the issue.", }, ], metrics: [ { other: { content: { text: "moderate", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-20", description: "CWE-20 Improper Input Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-06T11:34:16.289Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/btofzws2yqskk2n7f01r3l1819x01023", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Traffic Server: Request smuggling via pipelining after a chunked message body", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2024-38311", datePublished: "2025-03-06T11:34:16.289Z", dateReserved: "2024-06-13T15:53:48.274Z", dateUpdated: "2025-03-06T15:35:49.759Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2024-53868 (GCVE-0-2024-53868)
Vulnerability from cvelistv5
Published
2025-04-03 08:59
Modified
2025-04-18 14:38
Severity ?
EPSS score ?
Summary
Apache Traffic Server allows request smuggling if chunked messages are malformed.
This issue affects Apache Traffic Server: from 9.2.0 through 9.2.9, from 10.0.0 through 10.0.4.
Users are recommended to upgrade to version 9.2.10 or 10.0.5, which fixes the issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/rwyx91rsrnmpjbm04footfjjf6m9d1c9 | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 9.2.0 ≤ 9.2.9 Version: 10.0.0 ≤ 10.0.4 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2025-04-03T09:03:43.467Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { url: "http://www.openwall.com/lists/oss-security/2025/04/02/4", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, }, { other: { content: { id: "CVE-2024-53868", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-04-18T14:37:32.583128Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-04-18T14:38:03.477Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "9.2.9", status: "affected", version: "9.2.0", versionType: "semver", }, { lessThanOrEqual: "10.0.4", status: "affected", version: "10.0.0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "reporter", value: "Jeppe Bonde Weikop", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p></p><p><span style=\"background-color: rgb(255, 255, 255);\"><span style=\"background-color: rgb(255, 255, 255);\">Apache Traffic Server allows request smuggling if c</span>hunked messages are malformed.</span> </p><p></p><p></p><p>This issue affects Apache Traffic Server: from 9.2.0 through 9.2.9, from 10.0.0 through 10.0.4.</p><p>Users are recommended to upgrade to version 9.2.10 or 10.0.5, which fixes the issue.</p>", }, ], value: "Apache Traffic Server allows request smuggling if chunked messages are malformed. \n\n\n\n\n\nThis issue affects Apache Traffic Server: from 9.2.0 through 9.2.9, from 10.0.0 through 10.0.4.\n\nUsers are recommended to upgrade to version 9.2.10 or 10.0.5, which fixes the issue.", }, ], metrics: [ { other: { content: { text: "low", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-444", description: "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-04-03T08:59:02.557Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/rwyx91rsrnmpjbm04footfjjf6m9d1c9", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Traffic Server: Malformed chunked message body allows request smuggling", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2024-53868", datePublished: "2025-04-03T08:59:02.557Z", dateReserved: "2024-11-22T19:01:29.833Z", dateUpdated: "2025-04-18T14:38:03.477Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2022-32749 (GCVE-0-2022-32749)
Vulnerability from cvelistv5
Published
2022-12-19 10:51
Modified
2025-04-17 14:21
Severity ?
EPSS score ?
Summary
Improper Check for Unusual or Exceptional Conditions vulnerability handling requests in Apache Traffic Server allows an attacker to crash the server under certain conditions.
This issue affects Apache Traffic Server: from 8.0.0 through 9.1.3.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/mrj2lg4s0hf027rk7gz8t7hbn9xpfg02 | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 8.0.0 < |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T07:46:45.327Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/mrj2lg4s0hf027rk7gz8t7hbn9xpfg02", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2022-32749", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-04-17T14:20:46.910923Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-04-17T14:21:28.511Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "9.1.3", status: "affected", version: "8.0.0", versionType: "custom", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Vijay Mamidi", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "\n\nImproper Check for Unusual or Exceptional Conditions vulnerability handling requests in Apache Traffic Server allows an attacker to crash the server under certain conditions.\n\n<p>This issue affects Apache Traffic Server: from 8.0.0 through 9.1.3.</p>", }, ], value: "\nImproper Check for Unusual or Exceptional Conditions vulnerability handling requests in Apache Traffic Server allows an attacker to crash the server under certain conditions.\n\nThis issue affects Apache Traffic Server: from 8.0.0 through 9.1.3.\n\n", }, ], metrics: [ { other: { content: { text: "low", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-754", description: "CWE-754 Improper Check for Unusual or Exceptional Conditions", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-12-19T10:51:57.466Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/mrj2lg4s0hf027rk7gz8t7hbn9xpfg02", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Traffic Server: Improperly handled requests can cause crashes in specific plugins", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2022-32749", datePublished: "2022-12-19T10:51:57.466Z", dateReserved: "2022-06-09T15:18:03.287Z", dateUpdated: "2025-04-17T14:21:28.511Z", requesterUserId: "01d7ebfd-4418-401d-b8e4-f5ae3da29160", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2022-31779 (GCVE-0-2022-31779)
Vulnerability from cvelistv5
Published
2022-08-10 05:50
Modified
2024-08-03 07:26
Severity ?
EPSS score ?
Summary
Improper Input Validation vulnerability in HTTP/2 header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21 | x_refsource_MISC | |
| https://www.debian.org/security/2022/dsa-5206 | vendor-advisory, x_refsource_DEBIAN | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CJ67IWD5PRJUOIYIDJRUG3UMS2UF4X4J/ | vendor-advisory, x_refsource_FEDORA | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZCSBQBYPOZSWS5LCOAQ6LJLRLXFIAW5A/ | vendor-advisory, x_refsource_FEDORA |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 8.0.0 to 9.1.2 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T07:26:01.104Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21", }, { name: "DSA-5206", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2022/dsa-5206", }, { name: "FEDORA-2022-9832c0c04b", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CJ67IWD5PRJUOIYIDJRUG3UMS2UF4X4J/", }, { name: "FEDORA-2022-23043f5a0b", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZCSBQBYPOZSWS5LCOAQ6LJLRLXFIAW5A/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "8.0.0 to 9.1.2", }, ], }, ], credits: [ { lang: "en", value: "Apache Traffic Server would like to thank Dhana Sekaran for reporting this issue.", }, ], descriptions: [ { lang: "en", value: "Improper Input Validation vulnerability in HTTP/2 header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-20", description: "CWE-20 Improper Input Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-11-21T09:48:49.156Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21", }, { name: "DSA-5206", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2022/dsa-5206", }, { name: "FEDORA-2022-9832c0c04b", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CJ67IWD5PRJUOIYIDJRUG3UMS2UF4X4J/", }, { name: "FEDORA-2022-23043f5a0b", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZCSBQBYPOZSWS5LCOAQ6LJLRLXFIAW5A/", }, ], source: { discovery: "UNKNOWN", }, title: "Improper HTTP/2 scheme and method validation", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2022-31779", STATE: "PUBLIC", TITLE: "Improper HTTP/2 scheme and method validation", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Traffic Server", version: { version_data: [ { version_value: "8.0.0 to 9.1.2", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, credit: [ { lang: "eng", value: "Apache Traffic Server would like to thank Tony Regins for reporting this issue.", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Improper Input Validation vulnerability in HTTP/2 header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: [ {}, ], problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-20 Improper Input Validation", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21", refsource: "MISC", url: "https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21", }, { name: "DSA-5206", refsource: "DEBIAN", url: "https://www.debian.org/security/2022/dsa-5206", }, { name: "FEDORA-2022-9832c0c04b", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CJ67IWD5PRJUOIYIDJRUG3UMS2UF4X4J/", }, { name: "FEDORA-2022-23043f5a0b", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZCSBQBYPOZSWS5LCOAQ6LJLRLXFIAW5A/", }, ], }, source: { discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2022-31779", datePublished: "2022-08-10T05:50:40", dateReserved: "2022-05-27T00:00:00", dateUpdated: "2024-08-03T07:26:01.104Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2022-37392 (GCVE-0-2022-37392)
Vulnerability from cvelistv5
Published
2022-12-19 10:59
Modified
2025-04-17 14:20
Severity ?
EPSS score ?
Summary
Improper Check for Unusual or Exceptional Conditions vulnerability in handling the requests to Apache Traffic Server. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/mrj2lg4s0hf027rk7gz8t7hbn9xpfg02 | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 8.0.0 < |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T10:29:21.023Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/mrj2lg4s0hf027rk7gz8t7hbn9xpfg02", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, }, { other: { content: { id: "CVE-2022-37392", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-04-17T14:20:03.850619Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-04-17T14:20:28.706Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "9.1.3", status: "affected", version: "8.0.0", versionType: "custom", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Menno de Gier", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Improper Check for Unusual or Exceptional Conditions vulnerability in handling the requests to Apache Traffic Server. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.", }, ], value: "Improper Check for Unusual or Exceptional Conditions vulnerability in handling the requests to Apache Traffic Server. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.", }, ], metrics: [ { other: { content: { text: "low", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-754", description: "CWE-754 Improper Check for Unusual or Exceptional Conditions", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-12-19T10:59:05.957Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/mrj2lg4s0hf027rk7gz8t7hbn9xpfg02", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Traffic Server: Improperly reading the client requests", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2022-37392", datePublished: "2022-12-19T10:59:05.957Z", dateReserved: "2022-08-02T15:38:07.034Z", dateUpdated: "2025-04-17T14:20:28.706Z", requesterUserId: "01d7ebfd-4418-401d-b8e4-f5ae3da29160", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-30631 (GCVE-0-2023-30631)
Vulnerability from cvelistv5
Published
2023-06-14 07:44
Modified
2025-02-13 16:49
Severity ?
EPSS score ?
Summary
Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server. The configuration option proxy.config.http.push_method_enabled didn't function. However, by default the PUSH method is blocked in the ip_allow configuration file.This issue affects Apache Traffic Server: from 8.0.0 through 9.2.0.
8.x users should upgrade to 8.1.7 or later versions
9.x users should upgrade to 9.2.1 or later versions
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 8.0.0 ≤ 9.2.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T14:28:51.931Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/tns2b4khyyncgs5v5p9y35pobg9z2bvs", }, { tags: [ "x_transferred", ], url: "https://www.debian.org/security/2023/dsa-5435", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6GDCBNFDDW6ULW7CACJCPENI7BVDHM5O/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGWXNAEEVRUZ5JG4EJAIIFC3CI7LFETV/", }, { tags: [ "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2023/06/msg00037.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "9.2.0", status: "affected", version: "8.0.0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Chris Lemmons", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server. The configuration option proxy.config.http.push_method_enabled didn't function. However, by default the PUSH method is blocked in the ip_allow configuration file.<p>This issue affects Apache Traffic Server: from 8.0.0 through 9.2.0.</p><p>8.x users should upgrade to 8.1.7 or later versions<br>9.x users should upgrade to 9.2.1 or later versions<br></p>", }, ], value: "Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server. The configuration option proxy.config.http.push_method_enabled didn't function. However, by default the PUSH method is blocked in the ip_allow configuration file.This issue affects Apache Traffic Server: from 8.0.0 through 9.2.0.\n\n8.x users should upgrade to 8.1.7 or later versions\n9.x users should upgrade to 9.2.1 or later versions", }, ], metrics: [ { other: { content: { text: "moderate", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-20", description: "CWE-20 Improper Input Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-06-30T01:06:13.949Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/tns2b4khyyncgs5v5p9y35pobg9z2bvs", }, { url: "https://www.debian.org/security/2023/dsa-5435", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6GDCBNFDDW6ULW7CACJCPENI7BVDHM5O/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGWXNAEEVRUZ5JG4EJAIIFC3CI7LFETV/", }, { url: "https://lists.debian.org/debian-lts-announce/2023/06/msg00037.html", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Traffic Server: Configuration option to block the PUSH method in ATS didn't work", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2023-30631", datePublished: "2023-06-14T07:44:55.149Z", dateReserved: "2023-04-13T18:09:45.923Z", dateUpdated: "2025-02-13T16:49:34.433Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-32567 (GCVE-0-2021-32567)
Vulnerability from cvelistv5
Published
2021-06-30 07:15
Modified
2024-08-03 23:25
Severity ?
EPSS score ?
Summary
Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cusers.trafficserver.apache.org%3E | x_refsource_MISC | |
| https://www.debian.org/security/2021/dsa-4957 | vendor-advisory, x_refsource_DEBIAN |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T23:25:30.398Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cusers.trafficserver.apache.org%3E", }, { name: "DSA-4957", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2021/dsa-4957", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1", }, ], }, ], descriptions: [ { lang: "en", value: "Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-20", description: "CWE-20 Improper Input Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-08-14T14:06:11", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cusers.trafficserver.apache.org%3E", }, { name: "DSA-4957", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2021/dsa-4957", }, ], source: { discovery: "UNKNOWN", }, title: "Reading HTTP/2 frames too many times", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2021-32567", STATE: "PUBLIC", TITLE: "Reading HTTP/2 frames too many times", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Traffic Server", version: { version_data: [ { version_name: "Apache Traffic Server", version_value: "7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: [ {}, ], problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-20 Improper Input Validation", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cusers.trafficserver.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cusers.trafficserver.apache.org%3E", }, { name: "DSA-4957", refsource: "DEBIAN", url: "https://www.debian.org/security/2021/dsa-4957", }, ], }, source: { discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2021-32567", datePublished: "2021-06-30T07:15:21", dateReserved: "2021-05-11T00:00:00", dateUpdated: "2024-08-03T23:25:30.398Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-41752 (GCVE-0-2023-41752)
Vulnerability from cvelistv5
Published
2023-10-17 06:57
Modified
2025-02-13 17:09
Severity ?
EPSS score ?
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Traffic Server.This issue affects Apache Traffic Server: from 8.0.0 through 8.1.8, from 9.0.0 through 9.2.2.
Users are recommended to upgrade to version 8.1.9 or 9.2.3, which fixes the issue.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 8.0.0 ≤ 8.1.8 Version: 9.0.0 ≤ 9.2.2 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T19:09:48.026Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/", }, { tags: [ "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html", }, { tags: [ "x_transferred", ], url: "https://www.debian.org/security/2023/dsa-5549", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:apache_software_foundation:apache_traffic_server:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "apache_traffic_server", vendor: "apache_software_foundation", versions: [ { lessThanOrEqual: "8.1.8", status: "affected", version: "8.0.0", versionType: "custom", }, { lessThanOrEqual: "9.2.2", status: "affected", version: "9.0.0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2023-41752", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-13T19:48:24.523137Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-13T19:50:52.685Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "8.1.8", status: "affected", version: "8.0.0", versionType: "semver", }, { lessThanOrEqual: "9.2.2", status: "affected", version: "9.0.0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Masakazu Kitajo", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Traffic Server.<p>This issue affects Apache Traffic Server: from 8.0.0 through 8.1.8, from 9.0.0 through 9.2.2.</p><p>Users are recommended to upgrade to version 8.1.9 or 9.2.3, which fixes the issue.</p>", }, ], value: "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Traffic Server.This issue affects Apache Traffic Server: from 8.0.0 through 8.1.8, from 9.0.0 through 9.2.2.\n\nUsers are recommended to upgrade to version 8.1.9 or 9.2.3, which fixes the issue.", }, ], metrics: [ { other: { content: { text: "low", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-200", description: "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-11-05T23:06:22.512Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/", }, { url: "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html", }, { url: "https://www.debian.org/security/2023/dsa-5549", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Traffic Server: s3_auth plugin problem with hash calculation", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2023-41752", datePublished: "2023-10-17T06:57:47.508Z", dateReserved: "2023-08-31T20:55:13.999Z", dateUpdated: "2025-02-13T17:09:03.136Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-44040 (GCVE-0-2021-44040)
Vulnerability from cvelistv5
Published
2022-03-23 14:05
Modified
2024-08-04 04:10
Severity ?
EPSS score ?
Summary
Improper Input Validation vulnerability in request line parsing of Apache Traffic Server allows an attacker to send invalid requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.3 and 9.0.0 to 9.1.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/zblwzcfs9ryhwjr89wz4osw55pxm6dx6 | x_refsource_MISC | |
| https://www.debian.org/security/2022/dsa-5153 | vendor-advisory, x_refsource_DEBIAN |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 8.0.0 to 8.1.3 and 9.0.0 to 9.1.1 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T04:10:17.217Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread/zblwzcfs9ryhwjr89wz4osw55pxm6dx6", }, { name: "DSA-5153", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2022/dsa-5153", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "8.0.0 to 8.1.3 and 9.0.0 to 9.1.1", }, ], }, ], credits: [ { lang: "en", value: "Apache Traffic Server would like to thank Bahruz Jabiyev, Steven Sprecher and Kaan Onarlioglu for reporting these issues. We used his tool t-reqs (https://github.com/bahruzjabiyev/t-reqs-http-fuzzer) for discovering them.", }, ], descriptions: [ { lang: "en", value: "Improper Input Validation vulnerability in request line parsing of Apache Traffic Server allows an attacker to send invalid requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.3 and 9.0.0 to 9.1.1.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-20", description: "CWE-20 Improper Input Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-05-31T10:06:44", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread/zblwzcfs9ryhwjr89wz4osw55pxm6dx6", }, { name: "DSA-5153", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2022/dsa-5153", }, ], source: { discovery: "UNKNOWN", }, title: "HTTP request line fuzzing attacks", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2021-44040", STATE: "PUBLIC", TITLE: "HTTP request line fuzzing attacks", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Traffic Server", version: { version_data: [ { version_value: "8.0.0 to 8.1.3 and 9.0.0 to 9.1.1", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, credit: [ { lang: "eng", value: "Apache Traffic Server would like to thank Bahruz Jabiyev, Steven Sprecher and Kaan Onarlioglu for reporting these issues. We used his tool t-reqs (https://github.com/bahruzjabiyev/t-reqs-http-fuzzer) for discovering them.", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Improper Input Validation vulnerability in request line parsing of Apache Traffic Server allows an attacker to send invalid requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.3 and 9.0.0 to 9.1.1.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: [ {}, ], problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-20 Improper Input Validation", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread/zblwzcfs9ryhwjr89wz4osw55pxm6dx6", refsource: "MISC", url: "https://lists.apache.org/thread/zblwzcfs9ryhwjr89wz4osw55pxm6dx6", }, { name: "DSA-5153", refsource: "DEBIAN", url: "https://www.debian.org/security/2022/dsa-5153", }, ], }, source: { discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2021-44040", datePublished: "2022-03-23T14:05:15", dateReserved: "2021-11-19T00:00:00", dateUpdated: "2024-08-04T04:10:17.217Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-35474 (GCVE-0-2021-35474)
Vulnerability from cvelistv5
Published
2021-06-30 07:15
Modified
2024-08-04 00:40
Severity ?
EPSS score ?
Summary
Stack-based Buffer Overflow vulnerability in cachekey plugin of Apache Traffic Server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cusers.trafficserver.apache.org%3E | x_refsource_MISC | |
| https://www.debian.org/security/2021/dsa-4957 | vendor-advisory, x_refsource_DEBIAN |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T00:40:46.453Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cusers.trafficserver.apache.org%3E", }, { name: "DSA-4957", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2021/dsa-4957", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1", }, ], }, ], descriptions: [ { lang: "en", value: "Stack-based Buffer Overflow vulnerability in cachekey plugin of Apache Traffic Server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-121", description: "CWE-121 Stack-based Buffer Overflow", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-08-14T14:06:08", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cusers.trafficserver.apache.org%3E", }, { name: "DSA-4957", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2021/dsa-4957", }, ], source: { discovery: "UNKNOWN", }, title: "Dynamic stack buffer overflow in cachekey plugin", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2021-35474", STATE: "PUBLIC", TITLE: "Dynamic stack buffer overflow in cachekey plugin", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Traffic Server", version: { version_data: [ { version_name: "Apache Traffic Server", version_value: "7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Stack-based Buffer Overflow vulnerability in cachekey plugin of Apache Traffic Server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: [ {}, ], problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-121 Stack-based Buffer Overflow", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cusers.trafficserver.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cusers.trafficserver.apache.org%3E", }, { name: "DSA-4957", refsource: "DEBIAN", url: "https://www.debian.org/security/2021/dsa-4957", }, ], }, source: { discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2021-35474", datePublished: "2021-06-30T07:15:22", dateReserved: "2021-06-24T00:00:00", dateUpdated: "2024-08-04T00:40:46.453Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2022-47185 (GCVE-0-2022-47185)
Vulnerability from cvelistv5
Published
2023-08-09 06:57
Modified
2025-02-13 16:34
Severity ?
EPSS score ?
Summary
Improper input validation vulnerability on the range header in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: through 9.2.1.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 0 ≤ 9.2.1 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T14:47:29.326Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/jsl6dfdgs1mjjo1mbtyflyjr7xftswhc", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BOTOM2MFKOLK46Q3BQHO662HTPZFRQUC/", }, { tags: [ "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2023/09/msg00042.html", }, { tags: [ "x_transferred", ], url: "https://www.debian.org/security/2023/dsa-5549", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "traffic_server", vendor: "apache", versions: [ { lessThanOrEqual: "9.2.1", status: "affected", version: "9.0.0", versionType: "custom", }, { lessThanOrEqual: "8.1.7", status: "affected", version: "8.0.0", versionType: "custom", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2022-47185", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-01T18:22:26.464875Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-01T18:25:56.355Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "9.2.1", status: "affected", version: "0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Katsutoshi Ikenoya", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Improper input validation vulnerability on the range header in Apache Software Foundation Apache Traffic Server.<p>This issue affects Apache Traffic Server: through 9.2.1.</p>", }, ], value: "Improper input validation vulnerability on the range header in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: through 9.2.1.", }, ], metrics: [ { other: { content: { text: "important", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-20", description: "CWE-20 Improper Input Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-11-06T02:06:15.766Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/jsl6dfdgs1mjjo1mbtyflyjr7xftswhc", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BOTOM2MFKOLK46Q3BQHO662HTPZFRQUC/", }, { url: "https://lists.debian.org/debian-lts-announce/2023/09/msg00042.html", }, { url: "https://www.debian.org/security/2023/dsa-5549", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Traffic Server: Invalid Range header causes a crash", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2022-47185", datePublished: "2023-08-09T06:57:40.407Z", dateReserved: "2022-12-12T15:52:39.837Z", dateUpdated: "2025-02-13T16:34:00.177Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2018-8005 (GCVE-0-2018-8005)
Vulnerability from cvelistv5
Published
2018-08-29 13:00
Modified
2024-09-16 19:10
Severity ?
EPSS score ?
Summary
When there are multiple ranges in a range request, Apache Traffic Server (ATS) will read the entire object from cache. This can cause performance problems with large objects in cache. This affects versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x users should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/55d225af92887bfed0194400fd1b718622cca4140fc7318d982e25ca%40%3Cusers.trafficserver.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://www.debian.org/security/2018/dsa-4282 | vendor-advisory, x_refsource_DEBIAN | |
| http://www.securityfocus.com/bid/105187 | vdb-entry, x_refsource_BID | |
| https://github.com/apache/trafficserver/pull/3106 | x_refsource_CONFIRM | |
| https://github.com/apache/trafficserver/pull/3124 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 6.0.0 to 6.2.2 Version: 7.0.0 to 7.1.3 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T06:37:59.730Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "[trafficserver-users] 20180828 [ANNOUNCE] Apache Traffic Server vulnerability with multi-range requests - CVE-2018-8005", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/55d225af92887bfed0194400fd1b718622cca4140fc7318d982e25ca%40%3Cusers.trafficserver.apache.org%3E", }, { name: "DSA-4282", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2018/dsa-4282", }, { name: "105187", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/105187", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/apache/trafficserver/pull/3106", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/apache/trafficserver/pull/3124", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "6.0.0 to 6.2.2", }, { status: "affected", version: "7.0.0 to 7.1.3", }, ], }, ], datePublic: "2018-08-28T00:00:00", descriptions: [ { lang: "en", value: "When there are multiple ranges in a range request, Apache Traffic Server (ATS) will read the entire object from cache. This can cause performance problems with large objects in cache. This affects versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x users should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.", }, ], problemTypes: [ { descriptions: [ { description: "Information Disclosure", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-09-02T09:57:01", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { name: "[trafficserver-users] 20180828 [ANNOUNCE] Apache Traffic Server vulnerability with multi-range requests - CVE-2018-8005", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/55d225af92887bfed0194400fd1b718622cca4140fc7318d982e25ca%40%3Cusers.trafficserver.apache.org%3E", }, { name: "DSA-4282", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2018/dsa-4282", }, { name: "105187", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/105187", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/apache/trafficserver/pull/3106", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/apache/trafficserver/pull/3124", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", DATE_PUBLIC: "2018-08-28T00:00:00", ID: "CVE-2018-8005", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Traffic Server", version: { version_data: [ { version_value: "6.0.0 to 6.2.2", }, { version_value: "7.0.0 to 7.1.3", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "When there are multiple ranges in a range request, Apache Traffic Server (ATS) will read the entire object from cache. This can cause performance problems with large objects in cache. This affects versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x users should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Information Disclosure", }, ], }, ], }, references: { reference_data: [ { name: "[trafficserver-users] 20180828 [ANNOUNCE] Apache Traffic Server vulnerability with multi-range requests - CVE-2018-8005", refsource: "MLIST", url: "https://lists.apache.org/thread.html/55d225af92887bfed0194400fd1b718622cca4140fc7318d982e25ca@%3Cusers.trafficserver.apache.org%3E", }, { name: "DSA-4282", refsource: "DEBIAN", url: "https://www.debian.org/security/2018/dsa-4282", }, { name: "105187", refsource: "BID", url: "http://www.securityfocus.com/bid/105187", }, { name: "https://github.com/apache/trafficserver/pull/3106", refsource: "CONFIRM", url: "https://github.com/apache/trafficserver/pull/3106", }, { name: "https://github.com/apache/trafficserver/pull/3124", refsource: "CONFIRM", url: "https://github.com/apache/trafficserver/pull/3124", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2018-8005", datePublished: "2018-08-29T13:00:00Z", dateReserved: "2018-03-09T00:00:00", dateUpdated: "2024-09-16T19:10:15.976Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-41585 (GCVE-0-2021-41585)
Vulnerability from cvelistv5
Published
2021-11-03 15:20
Modified
2024-08-04 03:15
Severity ?
EPSS score ?
Summary
Improper Input Validation vulnerability in accepting socket connections in Apache Traffic Server allows an attacker to make the server stop accepting new connections. This issue affects Apache Traffic Server 5.0.0 to 9.1.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/k01797hyncx53659wr3o72s5cvkc3164 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 7.0.0 to 9.1.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T03:15:28.820Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread/k01797hyncx53659wr3o72s5cvkc3164", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "7.0.0 to 9.1.0", }, ], }, ], credits: [ { lang: "en", value: "Apache Traffic Server would like to thank Asbjorn Bjornstad for finding this issue.", }, ], descriptions: [ { lang: "en", value: "Improper Input Validation vulnerability in accepting socket connections in Apache Traffic Server allows an attacker to make the server stop accepting new connections. This issue affects Apache Traffic Server 5.0.0 to 9.1.0.", }, ], problemTypes: [ { descriptions: [ { description: "cwe", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-11-03T15:20:25", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread/k01797hyncx53659wr3o72s5cvkc3164", }, ], source: { discovery: "UNKNOWN", }, title: "ATS stops accepting connections on FreeBSD", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2021-41585", STATE: "PUBLIC", TITLE: "ATS stops accepting connections on FreeBSD", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Traffic Server", version: { version_data: [ { version_value: "7.0.0 to 9.1.0", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, credit: [ { lang: "eng", value: "Apache Traffic Server would like to thank Asbjorn Bjornstad for finding this issue.", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Improper Input Validation vulnerability in accepting socket connections in Apache Traffic Server allows an attacker to make the server stop accepting new connections. This issue affects Apache Traffic Server 5.0.0 to 9.1.0.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: [ {}, ], problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "cwe", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread/k01797hyncx53659wr3o72s5cvkc3164", refsource: "MISC", url: "https://lists.apache.org/thread/k01797hyncx53659wr3o72s5cvkc3164", }, ], }, source: { discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2021-41585", datePublished: "2021-11-03T15:20:25", dateReserved: "2021-09-24T00:00:00", dateUpdated: "2024-08-04T03:15:28.820Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2022-31780 (GCVE-0-2022-31780)
Vulnerability from cvelistv5
Published
2022-08-10 00:00
Modified
2024-08-03 07:26
Severity ?
EPSS score ?
Summary
Improper Input Validation vulnerability in HTTP/2 frame handling of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 8.0.0 to 9.1.2 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T07:26:01.168Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21", }, { name: "DSA-5206", tags: [ "vendor-advisory", "x_transferred", ], url: "https://www.debian.org/security/2022/dsa-5206", }, { name: "FEDORA-2022-9832c0c04b", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CJ67IWD5PRJUOIYIDJRUG3UMS2UF4X4J/", }, { name: "FEDORA-2022-23043f5a0b", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZCSBQBYPOZSWS5LCOAQ6LJLRLXFIAW5A/", }, { name: "[debian-lts-announce] 20230123 [SECURITY] [DLA 3279-1] trafficserver security update", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2023/01/msg00019.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "8.0.0 to 9.1.2", }, ], }, ], credits: [ { lang: "en", value: "Apache Traffic Server would like to thank Bahruz Jabiyev, Steven Sprecher, Anthony Gavazzi, Tommaso Innocenti, Kaan Onarlioglu, and Engin Kirda for reporting these issues. ", }, ], descriptions: [ { lang: "en", value: "Improper Input Validation vulnerability in HTTP/2 frame handling of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-20", description: "CWE-20 Improper Input Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-01-23T00:00:00", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { url: "https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21", }, { name: "DSA-5206", tags: [ "vendor-advisory", ], url: "https://www.debian.org/security/2022/dsa-5206", }, { name: "FEDORA-2022-9832c0c04b", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CJ67IWD5PRJUOIYIDJRUG3UMS2UF4X4J/", }, { name: "FEDORA-2022-23043f5a0b", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZCSBQBYPOZSWS5LCOAQ6LJLRLXFIAW5A/", }, { name: "[debian-lts-announce] 20230123 [SECURITY] [DLA 3279-1] trafficserver security update", tags: [ "mailing-list", ], url: "https://lists.debian.org/debian-lts-announce/2023/01/msg00019.html", }, ], source: { discovery: "UNKNOWN", }, title: "HTTP/2 framing vulnerabilities ", x_generator: { engine: "Vulnogram 0.0.9", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2022-31780", datePublished: "2022-08-10T00:00:00", dateReserved: "2022-05-27T00:00:00", dateUpdated: "2024-08-03T07:26:01.168Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-43082 (GCVE-0-2021-43082)
Vulnerability from cvelistv5
Published
2021-11-03 15:20
Modified
2024-08-04 03:47
Severity ?
EPSS score ?
Summary
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in the stats-over-http plugin of Apache Traffic Server allows an attacker to overwrite memory. This issue affects Apache Traffic Server 9.1.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/k01797hyncx53659wr3o72s5cvkc3164 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 9.1.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T03:47:13.379Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread/k01797hyncx53659wr3o72s5cvkc3164", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "9.1.0", }, ], }, ], credits: [ { lang: "en", value: "Apache Traffic Server would like to thank Masori Koshiba for finding this issue.", }, ], descriptions: [ { lang: "en", value: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in the stats-over-http plugin of Apache Traffic Server allows an attacker to overwrite memory. This issue affects Apache Traffic Server 9.1.0.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-120", description: "CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-11-03T15:20:27", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread/k01797hyncx53659wr3o72s5cvkc3164", }, ], source: { discovery: "UNKNOWN", }, title: "heap-buffer-overflow with stats-over-http plugin", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2021-43082", STATE: "PUBLIC", TITLE: "heap-buffer-overflow with stats-over-http plugin", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Traffic Server", version: { version_data: [ { version_value: "9.1.0", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, credit: [ { lang: "eng", value: "Apache Traffic Server would like to thank Masori Koshiba for finding this issue.", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in the stats-over-http plugin of Apache Traffic Server allows an attacker to overwrite memory. This issue affects Apache Traffic Server 9.1.0.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: [ {}, ], problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread/k01797hyncx53659wr3o72s5cvkc3164", refsource: "MISC", url: "https://lists.apache.org/thread/k01797hyncx53659wr3o72s5cvkc3164", }, ], }, source: { discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2021-43082", datePublished: "2021-11-03T15:20:27", dateReserved: "2021-10-30T00:00:00", dateUpdated: "2024-08-04T03:47:13.379Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-37147 (GCVE-0-2021-37147)
Vulnerability from cvelistv5
Published
2021-11-03 15:20
Modified
2024-08-04 01:16
Severity ?
EPSS score ?
Summary
Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.1.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/k01797hyncx53659wr3o72s5cvkc3164 | x_refsource_MISC | |
| https://www.debian.org/security/2022/dsa-5153 | vendor-advisory, x_refsource_DEBIAN |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 8.0.0 to 8.1.2 and 9.0.0 to 9.1.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T01:16:02.883Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread/k01797hyncx53659wr3o72s5cvkc3164", }, { name: "DSA-5153", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2022/dsa-5153", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "8.0.0 to 8.1.2 and 9.0.0 to 9.1.0", }, ], }, ], credits: [ { lang: "en", value: "Apache Traffic Server would like to thank Mattias Grenfeldt and Asta Olofsson for reporting this issue.", }, ], descriptions: [ { lang: "en", value: "Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.1.0.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-20", description: "CWE-20 Improper Input Validation", lang: "en", type: "CWE", }, { cweId: "CWE-444", description: "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-06-10T12:13:07.363Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread/k01797hyncx53659wr3o72s5cvkc3164", }, { name: "DSA-5153", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2022/dsa-5153", }, ], source: { discovery: "UNKNOWN", }, title: "Request Smuggling - LF line ending", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2021-37147", STATE: "PUBLIC", TITLE: "Request Smuggling - LF line ending", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Traffic Server", version: { version_data: [ { version_value: "8.0.0 to 8.1.2 and 9.0.0 to 9.1.0", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, credit: [ { lang: "eng", value: "Apache Traffic Server would like to thank Mattias Grenfeldt and Asta Olofsson for reporting this issue.", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.1.0.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: [ {}, ], problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-20 Improper Input Validation", }, { lang: "eng", value: "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread/k01797hyncx53659wr3o72s5cvkc3164", refsource: "MISC", url: "https://lists.apache.org/thread/k01797hyncx53659wr3o72s5cvkc3164", }, { name: "DSA-5153", refsource: "DEBIAN", url: "https://www.debian.org/security/2022/dsa-5153", }, ], }, source: { discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2021-37147", datePublished: "2021-11-03T15:20:19", dateReserved: "2021-07-21T00:00:00", dateUpdated: "2024-08-04T01:16:02.883Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-32565 (GCVE-0-2021-32565)
Vulnerability from cvelistv5
Published
2021-06-29 11:45
Modified
2024-08-03 23:25
Severity ?
EPSS score ?
Summary
Invalid values in the Content-Length header sent to Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cusers.trafficserver.apache.org%3E | x_refsource_MISC | |
| https://www.debian.org/security/2021/dsa-4957 | vendor-advisory, x_refsource_DEBIAN |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T23:25:30.615Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cusers.trafficserver.apache.org%3E", }, { name: "DSA-4957", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2021/dsa-4957", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1", }, ], }, ], descriptions: [ { lang: "en", value: "Invalid values in the Content-Length header sent to Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-444", description: "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-08-14T14:06:17", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cusers.trafficserver.apache.org%3E", }, { name: "DSA-4957", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2021/dsa-4957", }, ], source: { discovery: "UNKNOWN", }, title: "HTTP Request Smuggling, content length with invalid charters", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2021-32565", STATE: "PUBLIC", TITLE: "HTTP Request Smuggling, content length with invalid charters", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Traffic Server", version: { version_data: [ { version_name: "Apache Traffic Server", version_value: "7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Invalid values in the Content-Length header sent to Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: [ {}, ], problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cusers.trafficserver.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cusers.trafficserver.apache.org%3E", }, { name: "DSA-4957", refsource: "DEBIAN", url: "https://www.debian.org/security/2021/dsa-4957", }, ], }, source: { discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2021-32565", datePublished: "2021-06-29T11:45:20", dateReserved: "2021-05-11T00:00:00", dateUpdated: "2024-08-03T23:25:30.615Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2024-50305 (GCVE-0-2024-50305)
Vulnerability from cvelistv5
Published
2024-11-14 09:54
Modified
2024-11-14 18:15
Severity ?
EPSS score ?
Summary
Valid Host header field can cause Apache Traffic Server to crash on some platforms.
This issue affects Apache Traffic Server: from 9.2.0 through 9.2.5.
Users are recommended to upgrade to version 9.2.6, which fixes the issue, or 10.0.2, which does not have the issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/y15fh6c7kyqvzm0f9odw7c5jh4r4np0y | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 9.2.0 ≤ 9.2.5 |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:apache_software_foundation:apache_traffic_server:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "apache_traffic_server", vendor: "apache_software_foundation", versions: [ { lessThanOrEqual: "9.2.5", status: "affected", version: "9.2.0", versionType: "semver", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2024-50305", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-11-14T18:12:16.387475Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-120", description: "CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-11-14T18:15:38.823Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "9.2.5", status: "affected", version: "9.2.0", versionType: "semver", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>Valid Host header field can cause Apache Traffic Server to crash on some platforms.</p><p>This issue affects Apache Traffic Server: from 9.2.0 through 9.2.5.</p><p>Users are recommended to upgrade to version 9.2.6, which fixes the issue, or 10.0.2, which does not have the issue.</p>", }, ], value: "Valid Host header field can cause Apache Traffic Server to crash on some platforms.\n\nThis issue affects Apache Traffic Server: from 9.2.0 through 9.2.5.\n\nUsers are recommended to upgrade to version 9.2.6, which fixes the issue, or 10.0.2, which does not have the issue.", }, ], metrics: [ { other: { content: { text: "important", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-20", description: "CWE-20 Improper Input Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-11-14T09:54:20.652Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/y15fh6c7kyqvzm0f9odw7c5jh4r4np0y", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Traffic Server: Valid Host field value can cause crashes", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2024-50305", datePublished: "2024-11-14T09:54:20.652Z", dateReserved: "2024-10-21T20:32:08.974Z", dateUpdated: "2024-11-14T18:15:38.823Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2024-50306 (GCVE-0-2024-50306)
Vulnerability from cvelistv5
Published
2024-11-14 09:55
Modified
2024-11-14 18:11
Severity ?
EPSS score ?
Summary
Unchecked return value can allow Apache Traffic Server to retain privileges on startup.
This issue affects Apache Traffic Server: from 9.2.0 through 9.2.5, from 10.0.0 through 10.0.1.
Users are recommended to upgrade to version 9.2.6 or 10.0.2, which fixes the issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/y15fh6c7kyqvzm0f9odw7c5jh4r4np0y | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 9.2.0 ≤ 9.2.5 Version: 10.0.0 ≤ 10.0.1 |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:apache_software_foundation:apache_traffic_server:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "apache_traffic_server", vendor: "apache_software_foundation", versions: [ { lessThanOrEqual: "9.2.5", status: "affected", version: "9.2.0", versionType: "semver", }, { lessThanOrEqual: "10.0.1", status: "affected", version: "10.0.0", versionType: "semver", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.1, baseSeverity: "CRITICAL", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2024-50306", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-11-14T18:07:42.496439Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-11-14T18:11:20.573Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "9.2.5", status: "affected", version: "9.2.0", versionType: "semver", }, { lessThanOrEqual: "10.0.1", status: "affected", version: "10.0.0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "reporter", value: "Jeffrey BENCTEUX", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>Unchecked return value can allow Apache Traffic Server to retain privileges on startup.</p><p>This issue affects Apache Traffic Server: from 9.2.0 through 9.2.5, from 10.0.0 through 10.0.1.</p><p>Users are recommended to upgrade to version 9.2.6 or 10.0.2, which fixes the issue.</p>", }, ], value: "Unchecked return value can allow Apache Traffic Server to retain privileges on startup.\n\nThis issue affects Apache Traffic Server: from 9.2.0 through 9.2.5, from 10.0.0 through 10.0.1.\n\nUsers are recommended to upgrade to version 9.2.6 or 10.0.2, which fixes the issue.", }, ], metrics: [ { other: { content: { text: "low", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-252", description: "CWE-252 Unchecked Return Value", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-11-14T09:55:43.037Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/y15fh6c7kyqvzm0f9odw7c5jh4r4np0y", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Traffic Server: Server process can fail to drop privilege", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2024-50306", datePublished: "2024-11-14T09:55:43.037Z", dateReserved: "2024-10-21T21:01:58.173Z", dateUpdated: "2024-11-14T18:11:20.573Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2022-31778 (GCVE-0-2022-31778)
Vulnerability from cvelistv5
Published
2022-08-10 00:00
Modified
2024-08-03 07:26
Severity ?
EPSS score ?
Summary
Improper Input Validation vulnerability in handling the Transfer-Encoding header of Apache Traffic Server allows an attacker to poison the cache. This issue affects Apache Traffic Server 8.0.0 to 9.0.2.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 8.0.0 to 9.0.2 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T07:26:01.210Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21", }, { name: "DSA-5206", tags: [ "vendor-advisory", "x_transferred", ], url: "https://www.debian.org/security/2022/dsa-5206", }, { name: "[debian-lts-announce] 20230405 [SECURITY] [DLA 3385-1] trafficserver security update", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2023/04/msg00007.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "8.0.0 to 9.0.2", }, ], }, ], credits: [ { lang: "en", value: "Apache Traffic Server would like to thank Chris Lemmons for reporting this issue.", }, ], descriptions: [ { lang: "en", value: "Improper Input Validation vulnerability in handling the Transfer-Encoding header of Apache Traffic Server allows an attacker to poison the cache. This issue affects Apache Traffic Server 8.0.0 to 9.0.2.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-20", description: "CWE-20 Improper Input Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-06T00:00:00", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { url: "https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21", }, { name: "DSA-5206", tags: [ "vendor-advisory", ], url: "https://www.debian.org/security/2022/dsa-5206", }, { name: "[debian-lts-announce] 20230405 [SECURITY] [DLA 3385-1] trafficserver security update", tags: [ "mailing-list", ], url: "https://lists.debian.org/debian-lts-announce/2023/04/msg00007.html", }, ], source: { discovery: "UNKNOWN", }, title: "Transfer-Encoding not treated as hop-by-hop", x_generator: { engine: "Vulnogram 0.0.9", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2022-31778", datePublished: "2022-08-10T00:00:00", dateReserved: "2022-05-27T00:00:00", dateUpdated: "2024-08-03T07:26:01.210Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-39456 (GCVE-0-2023-39456)
Vulnerability from cvelistv5
Published
2023-10-17 06:58
Modified
2025-02-13 17:03
Severity ?
EPSS score ?
Summary
Improper Input Validation vulnerability in Apache Traffic Server with malformed HTTP/2 frames.This issue affects Apache Traffic Server: from 9.0.0 through 9.2.2.
Users are recommended to upgrade to version 9.2.3, which fixes the issue.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 9.0.0 ≤ 9.2.2 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T18:10:20.682Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/", }, { tags: [ "x_transferred", ], url: "https://www.debian.org/security/2023/dsa-5549", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "traffic_server", vendor: "apache", versions: [ { lessThanOrEqual: "9.2.2", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2023-39456", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-13T19:44:04.361364Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-11-12T18:24:15.643Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "9.2.2", status: "affected", version: "9.0.0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Akshat Parikh", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Improper Input Validation vulnerability in Apache Traffic Server with malformed HTTP/2 frames.<p>This issue affects Apache Traffic Server: from 9.0.0 through 9.2.2.</p><p>Users are recommended to upgrade to version 9.2.3, which fixes the issue.</p>", }, ], value: "Improper Input Validation vulnerability in Apache Traffic Server with malformed HTTP/2 frames.This issue affects Apache Traffic Server: from 9.0.0 through 9.2.2.\n\nUsers are recommended to upgrade to version 9.2.3, which fixes the issue.", }, ], metrics: [ { other: { content: { text: "important", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-20", description: "CWE-20 Improper Input Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-11-06T02:06:19.587Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/", }, { url: "https://www.debian.org/security/2023/dsa-5549", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Traffic Server: Malformed http/2 frames can cause an abort", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2023-39456", datePublished: "2023-10-17T06:58:17.515Z", dateReserved: "2023-08-02T20:52:41.882Z", dateUpdated: "2025-02-13T17:03:07.739Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2018-8040 (GCVE-0-2018-8040)
Vulnerability from cvelistv5
Published
2018-08-29 13:00
Modified
2024-09-17 02:21
Severity ?
EPSS score ?
Summary
Pages that are rendered using the ESI plugin can have access to the cookie header when the plugin is configured not to allow access. This affects Apache Traffic Server (ATS) versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/apache/trafficserver/pull/3926 | x_refsource_CONFIRM | |
| https://lists.apache.org/thread.html/cc7aa2ce1c6f4fe0c6bfef517763cdaad30ec7bcb0115b73f73f3c01%40%3Cusers.trafficserver.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/36b3df68fe7311965f6bc4630ca413d2aa99d8f1d53affda85ea70d7%40%3Cusers.trafficserver.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://www.debian.org/security/2018/dsa-4282 | vendor-advisory, x_refsource_DEBIAN | |
| http://www.securityfocus.com/bid/105181 | vdb-entry, x_refsource_BID |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 6.0.0 to 6.2.2 Version: 7.0.0 to 7.1.3 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T06:46:11.561Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/apache/trafficserver/pull/3926", }, { name: "[trafficserver-users] 20180828 [ANNOUNCE] Apache Traffic Server vulnerability with header variable access in the ESI plugin - CVE-2018-8040", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/cc7aa2ce1c6f4fe0c6bfef517763cdaad30ec7bcb0115b73f73f3c01%40%3Cusers.trafficserver.apache.org%3E", }, { name: "[trafficserver-users] 20180828 Re: [ANNOUNCE] Apache Traffic Server vulnerability with header variable access in the ESI plugin - CVE-2018-8040", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/36b3df68fe7311965f6bc4630ca413d2aa99d8f1d53affda85ea70d7%40%3Cusers.trafficserver.apache.org%3E", }, { name: "DSA-4282", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2018/dsa-4282", }, { name: "105181", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/105181", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "6.0.0 to 6.2.2", }, { status: "affected", version: "7.0.0 to 7.1.3", }, ], }, ], datePublic: "2018-08-28T00:00:00", descriptions: [ { lang: "en", value: "Pages that are rendered using the ESI plugin can have access to the cookie header when the plugin is configured not to allow access. This affects Apache Traffic Server (ATS) versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.", }, ], problemTypes: [ { descriptions: [ { description: "Information Disclosure", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-09-02T09:57:01", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/apache/trafficserver/pull/3926", }, { name: "[trafficserver-users] 20180828 [ANNOUNCE] Apache Traffic Server vulnerability with header variable access in the ESI plugin - CVE-2018-8040", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/cc7aa2ce1c6f4fe0c6bfef517763cdaad30ec7bcb0115b73f73f3c01%40%3Cusers.trafficserver.apache.org%3E", }, { name: "[trafficserver-users] 20180828 Re: [ANNOUNCE] Apache Traffic Server vulnerability with header variable access in the ESI plugin - CVE-2018-8040", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/36b3df68fe7311965f6bc4630ca413d2aa99d8f1d53affda85ea70d7%40%3Cusers.trafficserver.apache.org%3E", }, { name: "DSA-4282", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2018/dsa-4282", }, { name: "105181", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/105181", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", DATE_PUBLIC: "2018-08-28T00:00:00", ID: "CVE-2018-8040", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Traffic Server", version: { version_data: [ { version_value: "6.0.0 to 6.2.2", }, { version_value: "7.0.0 to 7.1.3", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Pages that are rendered using the ESI plugin can have access to the cookie header when the plugin is configured not to allow access. This affects Apache Traffic Server (ATS) versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Information Disclosure", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/apache/trafficserver/pull/3926", refsource: "CONFIRM", url: "https://github.com/apache/trafficserver/pull/3926", }, { name: "[trafficserver-users] 20180828 [ANNOUNCE] Apache Traffic Server vulnerability with header variable access in the ESI plugin - CVE-2018-8040", refsource: "MLIST", url: "https://lists.apache.org/thread.html/cc7aa2ce1c6f4fe0c6bfef517763cdaad30ec7bcb0115b73f73f3c01@%3Cusers.trafficserver.apache.org%3E", }, { name: "[trafficserver-users] 20180828 Re: [ANNOUNCE] Apache Traffic Server vulnerability with header variable access in the ESI plugin - CVE-2018-8040", refsource: "MLIST", url: "https://lists.apache.org/thread.html/36b3df68fe7311965f6bc4630ca413d2aa99d8f1d53affda85ea70d7@%3Cusers.trafficserver.apache.org%3E", }, { name: "DSA-4282", refsource: "DEBIAN", url: "https://www.debian.org/security/2018/dsa-4282", }, { name: "105181", refsource: "BID", url: "http://www.securityfocus.com/bid/105181", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2018-8040", datePublished: "2018-08-29T13:00:00Z", dateReserved: "2018-03-09T00:00:00", dateUpdated: "2024-09-17T02:21:14.011Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2024-35296 (GCVE-0-2024-35296)
Vulnerability from cvelistv5
Published
2024-07-26 09:11
Modified
2025-03-27 15:30
Severity ?
EPSS score ?
Summary
Invalid Accept-Encoding header can cause Apache Traffic Server to fail cache lookup and force forwarding requests.
This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.
Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0 | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 8.0.0 ≤ 8.1.10 Version: 9.0.0 ≤ 9.2.4 |
{ containers: { adp: [ { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 8.2, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", version: "3.1", }, }, { other: { content: { id: "CVE-2024-35296", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-07-26T14:01:18.718161Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-27T15:30:14.777Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T03:07:46.831Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "8.1.10", status: "affected", version: "8.0.0", versionType: "semver", }, { lessThanOrEqual: "9.2.4", status: "affected", version: "9.0.0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "reporter", value: "Min Chen", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>Invalid Accept-Encoding header can cause Apache Traffic Server to fail cache lookup and force forwarding requests.</p><p>This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.</p><p>Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.</p>", }, ], value: "Invalid Accept-Encoding header can cause Apache Traffic Server to fail cache lookup and force forwarding requests.\n\nThis issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.\n\nUsers are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.", }, ], metrics: [ { other: { content: { text: "moderate", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-20", description: "CWE-20 Improper Input Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-07-26T09:11:11.221Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Traffic Server: Invalid Accept-Encoding can force forwarding requests", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2024-35296", datePublished: "2024-07-26T09:11:11.221Z", dateReserved: "2024-05-15T21:41:36.675Z", dateUpdated: "2025-03-27T15:30:14.777Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2018-1318 (GCVE-0-2018-1318)
Vulnerability from cvelistv5
Published
2018-08-29 13:00
Modified
2024-09-16 22:50
Severity ?
EPSS score ?
Summary
Adding method ACLs in remap.config can cause a segfault when the user makes a carefully crafted request. This affects versions Apache Traffic Server (ATS) 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/apache/trafficserver/pull/3195 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/105176 | vdb-entry, x_refsource_BID | |
| https://www.debian.org/security/2018/dsa-4282 | vendor-advisory, x_refsource_DEBIAN | |
| https://lists.apache.org/thread.html/9357cdfb6352f72944411608b712e37196ad9e4bc0f17c4828a26fb2%40%3Cusers.trafficserver.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 6.0.0 to 6.2.2 Version: 7.0.0 to 7.1.3 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T03:59:38.535Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/apache/trafficserver/pull/3195", }, { name: "105176", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/105176", }, { name: "DSA-4282", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2018/dsa-4282", }, { name: "[trafficserver-users] 20180828 [ANNOUNCE] Apache Traffic Server vulnerability with method ACLs - CVE-2018-1318", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/9357cdfb6352f72944411608b712e37196ad9e4bc0f17c4828a26fb2%40%3Cusers.trafficserver.apache.org%3E", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "6.0.0 to 6.2.2", }, { status: "affected", version: "7.0.0 to 7.1.3", }, ], }, ], datePublic: "2018-08-28T00:00:00", descriptions: [ { lang: "en", value: "Adding method ACLs in remap.config can cause a segfault when the user makes a carefully crafted request. This affects versions Apache Traffic Server (ATS) 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.", }, ], problemTypes: [ { descriptions: [ { description: "Information Disclosure", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-09-02T09:57:01", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/apache/trafficserver/pull/3195", }, { name: "105176", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/105176", }, { name: "DSA-4282", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2018/dsa-4282", }, { name: "[trafficserver-users] 20180828 [ANNOUNCE] Apache Traffic Server vulnerability with method ACLs - CVE-2018-1318", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/9357cdfb6352f72944411608b712e37196ad9e4bc0f17c4828a26fb2%40%3Cusers.trafficserver.apache.org%3E", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", DATE_PUBLIC: "2018-08-28T00:00:00", ID: "CVE-2018-1318", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Traffic Server", version: { version_data: [ { version_value: "6.0.0 to 6.2.2", }, { version_value: "7.0.0 to 7.1.3", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Adding method ACLs in remap.config can cause a segfault when the user makes a carefully crafted request. This affects versions Apache Traffic Server (ATS) 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Information Disclosure", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/apache/trafficserver/pull/3195", refsource: "CONFIRM", url: "https://github.com/apache/trafficserver/pull/3195", }, { name: "105176", refsource: "BID", url: "http://www.securityfocus.com/bid/105176", }, { name: "DSA-4282", refsource: "DEBIAN", url: "https://www.debian.org/security/2018/dsa-4282", }, { name: "[trafficserver-users] 20180828 [ANNOUNCE] Apache Traffic Server vulnerability with method ACLs - CVE-2018-1318", refsource: "MLIST", url: "https://lists.apache.org/thread.html/9357cdfb6352f72944411608b712e37196ad9e4bc0f17c4828a26fb2@%3Cusers.trafficserver.apache.org%3E", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2018-1318", datePublished: "2018-08-29T13:00:00Z", dateReserved: "2017-12-07T00:00:00", dateUpdated: "2024-09-16T22:50:52.944Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2024-35161 (GCVE-0-2024-35161)
Vulnerability from cvelistv5
Published
2024-07-26 09:10
Modified
2024-08-13 08:48
Severity ?
EPSS score ?
Summary
Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable.
This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.
Users can set a new setting (proxy.config.http.drop_chunked_trailers) not to forward chunked trailer section.
Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0 | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 8.0.0 ≤ 8.1.10 Version: 9.0.0 ≤ 9.2.4 |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "traffic_server", vendor: "apache", versions: [ { lessThanOrEqual: "8.1.10", status: "affected", version: "8.0.0", versionType: "semver", }, { lessThanOrEqual: "9.2.4", status: "affected", version: "9.0.0", versionType: "semver", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 9.1, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, }, { other: { content: { id: "CVE-2024-35161", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-07-31T17:38:35.230307Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-31T17:47:08.763Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T03:07:46.737Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "8.1.10", status: "affected", version: "8.0.0", versionType: "semver", }, { lessThanOrEqual: "9.2.4", status: "affected", version: "9.0.0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "reporter", value: "Keran Mu", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable.</p><p>This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.</p>Users can set a new setting (proxy.config.http.drop_chunked_trailers) not to forward chunked trailer section.<br><p>Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.</p>", }, ], value: "Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable.\n\nThis issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.\n\nUsers can set a new setting (proxy.config.http.drop_chunked_trailers) not to forward chunked trailer section.\nUsers are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.", }, ], metrics: [ { other: { content: { text: "low", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-444", description: "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-08-13T08:48:33.287Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Traffic Server: Incomplete check for chunked trailer section allows request smuggling", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2024-35161", datePublished: "2024-07-26T09:10:56.281Z", dateReserved: "2024-05-09T20:04:47.056Z", dateUpdated: "2024-08-13T08:48:33.287Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2018-11783 (GCVE-0-2018-11783)
Vulnerability from cvelistv5
Published
2019-03-07 18:00
Modified
2024-09-16 22:15
Severity ?
EPSS score ?
Summary
sslheaders plugin extracts information from the client certificate and sets headers in the request based on the configuration of the plugin. The plugin doesn't strip the headers from the request in some scenarios. This problem was discovered in versions 6.0.0 to 6.0.3, 7.0.0 to 7.1.5, and 8.0.0 to 8.0.1.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/107032 | vdb-entry, x_refsource_BID | |
| https://lists.apache.org/thread.html/4f102f943935476732fb1fb653d687c7b69d29d9792f0d6cf72c505e%40%3Cannounce.trafficserver.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: Apache Traffic Server 6.0.0 to 6.0.3, 7.0.0 to 7.1.5, 8.0.0 to 8.0.1 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T08:17:09.243Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "107032", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/107032", }, { name: "[trafficserver-announce] 20190212 [ANNOUNCE] Apache Traffic Server vulnerability with sslheader plugin", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/4f102f943935476732fb1fb653d687c7b69d29d9792f0d6cf72c505e%40%3Cannounce.trafficserver.apache.org%3E", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "Apache Traffic Server 6.0.0 to 6.0.3, 7.0.0 to 7.1.5, 8.0.0 to 8.0.1", }, ], }, ], datePublic: "2019-02-12T00:00:00", descriptions: [ { lang: "en", value: "sslheaders plugin extracts information from the client certificate and sets headers in the request based on the configuration of the plugin. The plugin doesn't strip the headers from the request in some scenarios. This problem was discovered in versions 6.0.0 to 6.0.3, 7.0.0 to 7.1.5, and 8.0.0 to 8.0.1.", }, ], problemTypes: [ { descriptions: [ { description: "Information Disclosure", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2019-03-08T10:57:01", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { name: "107032", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/107032", }, { name: "[trafficserver-announce] 20190212 [ANNOUNCE] Apache Traffic Server vulnerability with sslheader plugin", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/4f102f943935476732fb1fb653d687c7b69d29d9792f0d6cf72c505e%40%3Cannounce.trafficserver.apache.org%3E", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", DATE_PUBLIC: "2019-02-12T00:00:00", ID: "CVE-2018-11783", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Traffic Server", version: { version_data: [ { version_value: "Apache Traffic Server 6.0.0 to 6.0.3, 7.0.0 to 7.1.5, 8.0.0 to 8.0.1", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "sslheaders plugin extracts information from the client certificate and sets headers in the request based on the configuration of the plugin. The plugin doesn't strip the headers from the request in some scenarios. This problem was discovered in versions 6.0.0 to 6.0.3, 7.0.0 to 7.1.5, and 8.0.0 to 8.0.1.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Information Disclosure", }, ], }, ], }, references: { reference_data: [ { name: "107032", refsource: "BID", url: "http://www.securityfocus.com/bid/107032", }, { name: "[trafficserver-announce] 20190212 [ANNOUNCE] Apache Traffic Server vulnerability with sslheader plugin", refsource: "MLIST", url: "https://lists.apache.org/thread.html/4f102f943935476732fb1fb653d687c7b69d29d9792f0d6cf72c505e@%3Cannounce.trafficserver.apache.org%3E", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2018-11783", datePublished: "2019-03-07T18:00:00Z", dateReserved: "2018-06-05T00:00:00", dateUpdated: "2024-09-16T22:15:51.127Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-37150 (GCVE-0-2021-37150)
Vulnerability from cvelistv5
Published
2022-08-10 00:00
Modified
2024-08-04 01:16
Severity ?
EPSS score ?
Summary
Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to request secure resources. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 8.0.0 to 9.1.2 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T01:16:04.051Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21", }, { name: "DSA-5206", tags: [ "vendor-advisory", "x_transferred", ], url: "https://www.debian.org/security/2022/dsa-5206", }, { name: "FEDORA-2022-9832c0c04b", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CJ67IWD5PRJUOIYIDJRUG3UMS2UF4X4J/", }, { name: "FEDORA-2022-23043f5a0b", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZCSBQBYPOZSWS5LCOAQ6LJLRLXFIAW5A/", }, { name: "[debian-lts-announce] 20230123 [SECURITY] [DLA 3279-1] trafficserver security update", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2023/01/msg00019.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "8.0.0 to 9.1.2", }, ], }, ], descriptions: [ { lang: "en", value: "Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to request secure resources. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-20", description: "CWE-20 Improper Input Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-01-23T00:00:00", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { url: "https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21", }, { name: "DSA-5206", tags: [ "vendor-advisory", ], url: "https://www.debian.org/security/2022/dsa-5206", }, { name: "FEDORA-2022-9832c0c04b", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CJ67IWD5PRJUOIYIDJRUG3UMS2UF4X4J/", }, { name: "FEDORA-2022-23043f5a0b", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZCSBQBYPOZSWS5LCOAQ6LJLRLXFIAW5A/", }, { name: "[debian-lts-announce] 20230123 [SECURITY] [DLA 3279-1] trafficserver security update", tags: [ "mailing-list", ], url: "https://lists.debian.org/debian-lts-announce/2023/01/msg00019.html", }, ], source: { discovery: "UNKNOWN", }, title: "Protocol vs scheme mismatch", x_generator: { engine: "Vulnogram 0.0.9", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2021-37150", datePublished: "2022-08-10T00:00:00", dateReserved: "2021-07-21T00:00:00", dateUpdated: "2024-08-04T01:16:04.051Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-44759 (GCVE-0-2021-44759)
Vulnerability from cvelistv5
Published
2022-03-23 14:05
Modified
2024-08-04 04:32
Severity ?
EPSS score ?
Summary
Improper Authentication vulnerability in TLS origin validation of Apache Traffic Server allows an attacker to create a man in the middle attack. This issue affects Apache Traffic Server 8.0.0 to 8.1.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/zblwzcfs9ryhwjr89wz4osw55pxm6dx6 | x_refsource_MISC | |
| https://www.debian.org/security/2022/dsa-5153 | vendor-advisory, x_refsource_DEBIAN |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 8.0.0 to 8.1.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T04:32:12.307Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread/zblwzcfs9ryhwjr89wz4osw55pxm6dx6", }, { name: "DSA-5153", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2022/dsa-5153", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "8.0.0 to 8.1.0", }, ], }, ], credits: [ { lang: "en", value: "Apache Traffic Server would like to thank Takuya Kitano for reporting this issue.", }, ], descriptions: [ { lang: "en", value: "Improper Authentication vulnerability in TLS origin validation of Apache Traffic Server allows an attacker to create a man in the middle attack. This issue affects Apache Traffic Server 8.0.0 to 8.1.0.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-287", description: "CWE-287 Improper Authentication", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-05-31T10:06:38", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread/zblwzcfs9ryhwjr89wz4osw55pxm6dx6", }, { name: "DSA-5153", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2022/dsa-5153", }, ], source: { discovery: "UNKNOWN", }, title: "Improper authentication vulnerability in TLS origin verification", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2021-44759", STATE: "PUBLIC", TITLE: "Improper authentication vulnerability in TLS origin verification", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Traffic Server", version: { version_data: [ { version_value: "8.0.0 to 8.1.0", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, credit: [ { lang: "eng", value: "Apache Traffic Server would like to thank Takuya Kitano for reporting this issue.", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Improper Authentication vulnerability in TLS origin validation of Apache Traffic Server allows an attacker to create a man in the middle attack. This issue affects Apache Traffic Server 8.0.0 to 8.1.0.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: [ {}, ], problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-287 Improper Authentication", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread/zblwzcfs9ryhwjr89wz4osw55pxm6dx6", refsource: "MISC", url: "https://lists.apache.org/thread/zblwzcfs9ryhwjr89wz4osw55pxm6dx6", }, { name: "DSA-5153", refsource: "DEBIAN", url: "https://www.debian.org/security/2022/dsa-5153", }, ], }, source: { discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2021-44759", datePublished: "2022-03-23T14:05:20", dateReserved: "2021-12-09T00:00:00", dateUpdated: "2024-08-04T04:32:12.307Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2024-56195 (GCVE-0-2024-56195)
Vulnerability from cvelistv5
Published
2025-03-06 11:23
Modified
2025-03-06 15:37
Severity ?
EPSS score ?
Summary
Improper Access Control vulnerability in Apache Traffic Server.
This issue affects Apache Traffic Server: from 9.2.0 through 9.2.8, from 10.0.0 through 10.0.3.
Users are recommended to upgrade to version 9.2.9 or 10.0.4, which fixes the issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/btofzws2yqskk2n7f01r3l1819x01023 | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 9.2.0 ≤ 9.2.8 Version: 10.0.0 ≤ 10.0.3 |
{ containers: { adp: [ { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, }, { other: { content: { id: "CVE-2024-56195", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-06T15:36:13.179178Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-06T15:37:24.745Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "9.2.8", status: "affected", version: "9.2.0", versionType: "semver", }, { lessThanOrEqual: "10.0.3", status: "affected", version: "10.0.0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "reporter", value: "Masaori Koshiba", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>Improper Access Control vulnerability in Apache Traffic Server.</p><p>This issue affects Apache Traffic Server: from 9.2.0 through 9.2.8, from 10.0.0 through 10.0.3.</p><p>Users are recommended to upgrade to version 9.2.9 or 10.0.4, which fixes the issue.</p>", }, ], value: "Improper Access Control vulnerability in Apache Traffic Server.\n\nThis issue affects Apache Traffic Server: from 9.2.0 through 9.2.8, from 10.0.0 through 10.0.3.\n\nUsers are recommended to upgrade to version 9.2.9 or 10.0.4, which fixes the issue.", }, ], metrics: [ { other: { content: { text: "important", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-284", description: "CWE-284 Improper Access Control", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-06T11:23:37.067Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/btofzws2yqskk2n7f01r3l1819x01023", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Traffic Server: Intercept plugins are not access controlled", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2024-56195", datePublished: "2025-03-06T11:23:37.067Z", dateReserved: "2024-12-18T17:56:13.320Z", dateUpdated: "2025-03-06T15:37:24.745Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2017-5660 (GCVE-0-2017-5660)
Vulnerability from cvelistv5
Published
2018-02-27 20:00
Modified
2024-09-17 00:37
Severity ?
EPSS score ?
Summary
There is a vulnerability in Apache Traffic Server (ATS) 6.2.0 and prior and 7.0.0 and prior with the Host header and line folding. This can have issues when interacting with upstream proxies and the wrong host being used.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.debian.org/security/2018/dsa-4128 | vendor-advisory, x_refsource_DEBIAN | |
| https://lists.apache.org/thread.html/22d84783d94c53a5132ec89f002fe5165c87561a9428bcb6713b3c98%40%3Cdev.trafficserver.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 6.2.0 and prior Version: 7.0.0 and prior |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T15:11:47.393Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "DSA-4128", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2018/dsa-4128", }, { name: "[dev] 20180227 [ANNOUNCE] Apache Traffic Server host header and line folding - CVE-2017-5660", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/22d84783d94c53a5132ec89f002fe5165c87561a9428bcb6713b3c98%40%3Cdev.trafficserver.apache.org%3E", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "6.2.0 and prior", }, { status: "affected", version: "7.0.0 and prior", }, ], }, ], datePublic: "2018-02-27T00:00:00", descriptions: [ { lang: "en", value: "There is a vulnerability in Apache Traffic Server (ATS) 6.2.0 and prior and 7.0.0 and prior with the Host header and line folding. This can have issues when interacting with upstream proxies and the wrong host being used.", }, ], problemTypes: [ { descriptions: [ { description: "Information Disclosure", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-03-03T10:57:01", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { name: "DSA-4128", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2018/dsa-4128", }, { name: "[dev] 20180227 [ANNOUNCE] Apache Traffic Server host header and line folding - CVE-2017-5660", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/22d84783d94c53a5132ec89f002fe5165c87561a9428bcb6713b3c98%40%3Cdev.trafficserver.apache.org%3E", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", DATE_PUBLIC: "2018-02-27T00:00:00", ID: "CVE-2017-5660", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Traffic Server", version: { version_data: [ { version_value: "6.2.0 and prior", }, { version_value: "7.0.0 and prior", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "There is a vulnerability in Apache Traffic Server (ATS) 6.2.0 and prior and 7.0.0 and prior with the Host header and line folding. This can have issues when interacting with upstream proxies and the wrong host being used.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Information Disclosure", }, ], }, ], }, references: { reference_data: [ { name: "DSA-4128", refsource: "DEBIAN", url: "https://www.debian.org/security/2018/dsa-4128", }, { name: "[dev] 20180227 [ANNOUNCE] Apache Traffic Server host header and line folding - CVE-2017-5660", refsource: "MLIST", url: "https://lists.apache.org/thread.html/22d84783d94c53a5132ec89f002fe5165c87561a9428bcb6713b3c98@%3Cdev.trafficserver.apache.org%3E", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2017-5660", datePublished: "2018-02-27T20:00:00Z", dateReserved: "2017-01-29T00:00:00", dateUpdated: "2024-09-17T00:37:13.932Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-32566 (GCVE-0-2021-32566)
Vulnerability from cvelistv5
Published
2021-06-30 07:15
Modified
2024-08-03 23:25
Severity ?
EPSS score ?
Summary
Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cusers.trafficserver.apache.org%3E | x_refsource_MISC | |
| https://www.debian.org/security/2021/dsa-4957 | vendor-advisory, x_refsource_DEBIAN |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T23:25:30.377Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cusers.trafficserver.apache.org%3E", }, { name: "DSA-4957", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2021/dsa-4957", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1", }, ], }, ], descriptions: [ { lang: "en", value: "Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-20", description: "CWE-20 Improper Input Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-08-14T14:06:15", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cusers.trafficserver.apache.org%3E", }, { name: "DSA-4957", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2021/dsa-4957", }, ], source: { discovery: "UNKNOWN", }, title: "Specific sequence of HTTP/2 frames can cause ATS to crash", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2021-32566", STATE: "PUBLIC", TITLE: "Specific sequence of HTTP/2 frames can cause ATS to crash", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Traffic Server", version: { version_data: [ { version_name: "Apache Traffic Server", version_value: "7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: [ {}, ], problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-20 Improper Input Validation", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cusers.trafficserver.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cusers.trafficserver.apache.org%3E", }, { name: "DSA-4957", refsource: "DEBIAN", url: "https://www.debian.org/security/2021/dsa-4957", }, ], }, source: { discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2021-32566", datePublished: "2021-06-30T07:15:19", dateReserved: "2021-05-11T00:00:00", dateUpdated: "2024-08-03T23:25:30.377Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2021-38161 (GCVE-0-2021-38161)
Vulnerability from cvelistv5
Published
2021-11-03 15:20
Modified
2024-08-04 01:37
Severity ?
EPSS score ?
Summary
Improper Authentication vulnerability in TLS origin verification of Apache Traffic Server allows for man in the middle attacks. This issue affects Apache Traffic Server 8.0.0 to 8.0.8.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/k01797hyncx53659wr3o72s5cvkc3164 | x_refsource_MISC | |
| https://www.debian.org/security/2022/dsa-5153 | vendor-advisory, x_refsource_DEBIAN |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 8.0.0 to 8.0.8 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T01:37:15.519Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread/k01797hyncx53659wr3o72s5cvkc3164", }, { name: "DSA-5153", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2022/dsa-5153", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "8.0.0 to 8.0.8", }, ], }, ], descriptions: [ { lang: "en", value: "Improper Authentication vulnerability in TLS origin verification of Apache Traffic Server allows for man in the middle attacks. This issue affects Apache Traffic Server 8.0.0 to 8.0.8.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-287", description: "CWE-287 Improper Authentication", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-05-31T10:06:39", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread/k01797hyncx53659wr3o72s5cvkc3164", }, { name: "DSA-5153", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2022/dsa-5153", }, ], source: { discovery: "UNKNOWN", }, title: "Not validating origin TLS certificate", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2021-38161", STATE: "PUBLIC", TITLE: "Not validating origin TLS certificate", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Traffic Server", version: { version_data: [ { version_value: "8.0.0 to 8.0.8", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Improper Authentication vulnerability in TLS origin verification of Apache Traffic Server allows for man in the middle attacks. This issue affects Apache Traffic Server 8.0.0 to 8.0.8.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: [ {}, ], problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-287 Improper Authentication", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread/k01797hyncx53659wr3o72s5cvkc3164", refsource: "MISC", url: "https://lists.apache.org/thread/k01797hyncx53659wr3o72s5cvkc3164", }, { name: "DSA-5153", refsource: "DEBIAN", url: "https://www.debian.org/security/2022/dsa-5153", }, ], }, source: { discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2021-38161", datePublished: "2021-11-03T15:20:24", dateReserved: "2021-08-07T00:00:00", dateUpdated: "2024-08-04T01:37:15.519Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2017-5659 (GCVE-0-2017-5659)
Vulnerability from cvelistv5
Published
2017-04-17 18:00
Modified
2024-08-05 15:11
Severity ?
EPSS score ?
Summary
Apache Traffic Server before 6.2.1 generates a coredump when there is a mismatch between content length and chunked encoding.
References
| ▼ | URL | Tags |
|---|---|---|
| https://issues.apache.org/jira/browse/TS-4819 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/97949 | vdb-entry, x_refsource_BID | |
| http://www.securitytracker.com/id/1038275 | vdb-entry, x_refsource_SECTRACK |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: All versions prior to version 6.2.1 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T15:11:48.217Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://issues.apache.org/jira/browse/TS-4819", }, { name: "97949", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/97949", }, { name: "1038275", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1038275", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "All versions prior to version 6.2.1", }, ], }, ], datePublic: "2017-01-20T00:00:00", descriptions: [ { lang: "en", value: "Apache Traffic Server before 6.2.1 generates a coredump when there is a mismatch between content length and chunked encoding.", }, ], problemTypes: [ { descriptions: [ { description: "DoS attack", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-07-10T09:57:01", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://issues.apache.org/jira/browse/TS-4819", }, { name: "97949", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/97949", }, { name: "1038275", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1038275", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2017-5659", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Traffic Server", version: { version_data: [ { version_value: "All versions prior to version 6.2.1", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Apache Traffic Server before 6.2.1 generates a coredump when there is a mismatch between content length and chunked encoding.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "DoS attack", }, ], }, ], }, references: { reference_data: [ { name: "https://issues.apache.org/jira/browse/TS-4819", refsource: "CONFIRM", url: "https://issues.apache.org/jira/browse/TS-4819", }, { name: "97949", refsource: "BID", url: "http://www.securityfocus.com/bid/97949", }, { name: "1038275", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1038275", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2017-5659", datePublished: "2017-04-17T18:00:00", dateReserved: "2017-01-29T00:00:00", dateUpdated: "2024-08-05T15:11:48.217Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2024-31309 (GCVE-0-2024-31309)
Vulnerability from cvelistv5
Published
2024-04-10 12:07
Modified
2025-02-13 17:47
Severity ?
EPSS score ?
Summary
HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server. Version from 8.0.0 through 8.1.9, from 9.0.0 through 9.2.3 are affected.
Users can set a new setting (proxy.config.http2.max_continuation_frames_per_minute) to limit the number of CONTINUATION frames per minute. ATS does have a fixed amount of memory a request can use and ATS adheres to these limits in previous releases.
Users are recommended to upgrade to versions 8.1.10 or 9.2.4 which fixes the issue.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 8.0.0 ≤ 8.1.9 Version: 9.0.0 ≤ 9.2.3 |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "traffic_server", vendor: "apache", versions: [ { lessThanOrEqual: "8.1.9", status: "affected", version: "8.0.0", versionType: "custom", }, { lessThanOrEqual: "9.2.3", status: "affected", version: "9.0.0", versionType: "custom", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2024-31309", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-11-12T18:21:30.828481Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-11-12T18:24:22.338Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T01:52:56.330Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/f9qh3g3jvy153wh82pz4onrfj1wh13kc", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV77HYM7ARSTL3B6U3IFG7PHDU65WL4I/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3XON6RM5ZKCZ6K6NB7BOTAWMJQKXJDO/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PBKLPQ6ECG4PGEPRCYI3Y3OITNDEFCCV/", }, { tags: [ "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2024/04/msg00021.html", }, { tags: [ "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2024/04/03/16", }, { tags: [ "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2024/04/10/7", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "8.1.9", status: "affected", version: "8.0.0", versionType: "semver", }, { lessThanOrEqual: "9.2.3", status: "affected", version: "9.0.0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "reporter", value: "Bartek Nowotarski", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>HTTP/2 <span style=\"background-color: rgb(255, 255, 255);\">CONTINUATION</span> DoS attack can cause Apache Traffic Server to consume more resources on the server. Version from 8.0.0 through 8.1.9, from 9.0.0 through 9.2.3 are affected.</p>Users can set a new setting (proxy.config.http2.max_continuation_frames_per_minute) to limit the number of CONTINUATION frames per minute. ATS does have a fixed amount of memory a request can use and ATS adheres to these limits in previous releases.<br><p>Users are recommended to upgrade to versions 8.1.10 or 9.2.4 which fixes the issue.</p>", }, ], value: "HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server. Version from 8.0.0 through 8.1.9, from 9.0.0 through 9.2.3 are affected.\n\nUsers can set a new setting (proxy.config.http2.max_continuation_frames_per_minute) to limit the number of CONTINUATION frames per minute. ATS does have a fixed amount of memory a request can use and ATS adheres to these limits in previous releases.\nUsers are recommended to upgrade to versions 8.1.10 or 9.2.4 which fixes the issue.", }, ], metrics: [ { other: { content: { text: "moderate", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-20", description: "CWE-20 Improper Input Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-05-01T18:06:33.496Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/f9qh3g3jvy153wh82pz4onrfj1wh13kc", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV77HYM7ARSTL3B6U3IFG7PHDU65WL4I/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3XON6RM5ZKCZ6K6NB7BOTAWMJQKXJDO/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PBKLPQ6ECG4PGEPRCYI3Y3OITNDEFCCV/", }, { url: "https://lists.debian.org/debian-lts-announce/2024/04/msg00021.html", }, { url: "http://www.openwall.com/lists/oss-security/2024/04/03/16", }, { url: "http://www.openwall.com/lists/oss-security/2024/04/10/7", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Traffic Server: HTTP/2 CONTINUATION frames can be utilized for DoS attack", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2024-31309", datePublished: "2024-04-10T12:07:16.975Z", dateReserved: "2024-03-29T18:52:13.204Z", dateUpdated: "2025-02-13T17:47:53.194Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2024-56196 (GCVE-0-2024-56196)
Vulnerability from cvelistv5
Published
2025-03-06 11:21
Modified
2025-03-06 15:37
Severity ?
EPSS score ?
Summary
Improper Access Control vulnerability in Apache Traffic Server.
This issue affects Apache Traffic Server: from 10.0.0 through 10.0.3.
Users are recommended to upgrade to version 10.0.4, which fixes the issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/btofzws2yqskk2n7f01r3l1819x01023 | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 10.0.0 ≤ 10.0.3 |
{ containers: { adp: [ { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, }, { other: { content: { id: "CVE-2024-56196", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-06T15:37:33.306332Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-06T15:37:59.338Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "10.0.3", status: "affected", version: "10.0.0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "reporter", value: "Chris McFarlen", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>Improper Access Control vulnerability in Apache Traffic Server.</p><p>This issue affects Apache Traffic Server: from 10.0.0 through 10.0.3.</p><p>Users are recommended to upgrade to version 10.0.4, which fixes the issue.</p>", }, ], value: "Improper Access Control vulnerability in Apache Traffic Server.\n\nThis issue affects Apache Traffic Server: from 10.0.0 through 10.0.3.\n\nUsers are recommended to upgrade to version 10.0.4, which fixes the issue.", }, ], metrics: [ { other: { content: { text: "important", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-284", description: "CWE-284 Improper Access Control", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-06T11:21:49.763Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/btofzws2yqskk2n7f01r3l1819x01023", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Traffic Server: ACL is not fully compatible with older versions", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2024-56196", datePublished: "2025-03-06T11:21:49.763Z", dateReserved: "2024-12-18T18:11:39.803Z", dateUpdated: "2025-03-06T15:37:59.338Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2022-40743 (GCVE-0-2022-40743)
Vulnerability from cvelistv5
Published
2022-12-19 11:06
Modified
2025-04-17 14:19
Severity ?
EPSS score ?
Summary
Improper Input Validation vulnerability for the xdebug plugin in Apache Software Foundation Apache Traffic Server can lead to cross site scripting and cache poisoning attacks.This issue affects Apache Traffic Server: 9.0.0 to 9.1.3. Users should upgrade to 9.1.4 or later versions.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/mrj2lg4s0hf027rk7gz8t7hbn9xpfg02 | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 9.0.0 < |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T12:28:41.365Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/mrj2lg4s0hf027rk7gz8t7hbn9xpfg02", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, }, { other: { content: { id: "CVE-2022-40743", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-04-17T14:19:23.787463Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-04-17T14:19:43.233Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "9.1.3", status: "affected", version: "9.0.0", versionType: "custom", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Nick Frost", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Improper Input Validation vulnerability for the xdebug plugin in Apache Software Foundation Apache Traffic Server can lead to cross site scripting and cache poisoning attacks.<p>This issue affects Apache Traffic Server: 9.0.0 to 9.1.3. Users should upgrade to 9.1.4 or later versions.<br></p>", }, ], value: "Improper Input Validation vulnerability for the xdebug plugin in Apache Software Foundation Apache Traffic Server can lead to cross site scripting and cache poisoning attacks.This issue affects Apache Traffic Server: 9.0.0 to 9.1.3. Users should upgrade to 9.1.4 or later versions.\n\n", }, ], metrics: [ { other: { content: { text: "important", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-07-17T14:33:10.180Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/mrj2lg4s0hf027rk7gz8t7hbn9xpfg02", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Traffic Server: Security issues with the xdebug plugin", workarounds: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Disable the xdebug plugin or change the default header to activate the plugin.", }, ], value: "Disable the xdebug plugin or change the default header to activate the plugin.", }, ], x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2022-40743", datePublished: "2022-12-19T11:06:14.186Z", dateReserved: "2022-09-16T15:16:34.382Z", dateUpdated: "2025-04-17T14:19:43.233Z", requesterUserId: "01d7ebfd-4418-401d-b8e4-f5ae3da29160", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-33933 (GCVE-0-2023-33933)
Vulnerability from cvelistv5
Published
2023-06-14 07:44
Modified
2025-02-13 16:55
Severity ?
EPSS score ?
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: from 8.0.0 through 9.2.0.
8.x users should upgrade to 8.1.7 or later versions
9.x users should upgrade to 9.2.1 or later versions
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 8.0.0 ≤ 9.2.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T15:54:13.702Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/tns2b4khyyncgs5v5p9y35pobg9z2bvs", }, { tags: [ "x_transferred", ], url: "https://www.debian.org/security/2023/dsa-5435", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6GDCBNFDDW6ULW7CACJCPENI7BVDHM5O/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGWXNAEEVRUZ5JG4EJAIIFC3CI7LFETV/", }, { tags: [ "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2023/06/msg00037.html", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "traffic_server", vendor: "apache", versions: [ { lessThanOrEqual: "8.1.6", status: "affected", version: "8.0.0", versionType: "custom", }, { lessThanOrEqual: "9.2.0", status: "affected", version: "9.0.0", versionType: "custom", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, }, { other: { content: { id: "CVE-2023-33933", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-09T13:54:57.967688Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-09T13:59:26.710Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "9.2.0", status: "affected", version: "8.0.0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "reporter", value: "Masakazu Kitajo", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Traffic Server.<p>This issue affects Apache Traffic Server: from 8.0.0 through 9.2.0.</p><p>8.x users should upgrade to 8.1.7 or later versions<br>9.x users should upgrade to 9.2.1 or later versions<br></p>", }, ], value: "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: from 8.0.0 through 9.2.0.\n\n8.x users should upgrade to 8.1.7 or later versions\n9.x users should upgrade to 9.2.1 or later versions", }, ], metrics: [ { other: { content: { text: "low", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-200", description: "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-06-30T01:06:12.404Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/tns2b4khyyncgs5v5p9y35pobg9z2bvs", }, { url: "https://www.debian.org/security/2023/dsa-5435", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6GDCBNFDDW6ULW7CACJCPENI7BVDHM5O/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGWXNAEEVRUZ5JG4EJAIIFC3CI7LFETV/", }, { url: "https://lists.debian.org/debian-lts-announce/2023/06/msg00037.html", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Traffic Server: s3_auth plugin problem with hash calculation", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2023-33933", datePublished: "2023-06-14T07:44:12.626Z", dateReserved: "2023-05-23T16:24:45.689Z", dateUpdated: "2025-02-13T16:55:12.292Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2020-9494 (GCVE-0-2020-9494)
Vulnerability from cvelistv5
Published
2020-06-24 15:25
Modified
2024-08-04 10:34
Severity ?
EPSS score ?
Summary
Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to 8.0.7 is vulnerable to certain types of HTTP/2 HEADERS frames that can cause the server to allocate a large amount of memory and spin the thread.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/rf7f86917f42fdaf904d99560cba0c016e03baea6244c47efeb60ecbe%40%3Cdev.trafficserver.apache.org%3E | x_refsource_CONFIRM | |
| https://www.debian.org/security/2020/dsa-4710 | vendor-advisory, x_refsource_DEBIAN | |
| http://www.openwall.com/lists/oss-security/2021/03/01/2 | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 6.0.0 to 6.2.3 Version: 7.0.0 to 7.1.10 Version: 8.0.0 to 8.0.7 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T10:34:37.925Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://lists.apache.org/thread.html/rf7f86917f42fdaf904d99560cba0c016e03baea6244c47efeb60ecbe%40%3Cdev.trafficserver.apache.org%3E", }, { name: "DSA-4710", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2020/dsa-4710", }, { name: "[oss-security] 20210301 CVE-2021-25329: Apache Tomcat Incomplete fix for CVE-2020-9484", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2021/03/01/2", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "6.0.0 to 6.2.3", }, { status: "affected", version: "7.0.0 to 7.1.10", }, { status: "affected", version: "8.0.0 to 8.0.7", }, ], }, ], descriptions: [ { lang: "en", value: "Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to 8.0.7 is vulnerable to certain types of HTTP/2 HEADERS frames that can cause the server to allocate a large amount of memory and spin the thread.", }, ], problemTypes: [ { descriptions: [ { description: "Information Disclosure", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-03-01T15:06:31", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://lists.apache.org/thread.html/rf7f86917f42fdaf904d99560cba0c016e03baea6244c47efeb60ecbe%40%3Cdev.trafficserver.apache.org%3E", }, { name: "DSA-4710", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2020/dsa-4710", }, { name: "[oss-security] 20210301 CVE-2021-25329: Apache Tomcat Incomplete fix for CVE-2020-9484", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2021/03/01/2", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2020-9494", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Traffic Server", version: { version_data: [ { version_value: "6.0.0 to 6.2.3", }, { version_value: "7.0.0 to 7.1.10", }, { version_value: "8.0.0 to 8.0.7", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to 8.0.7 is vulnerable to certain types of HTTP/2 HEADERS frames that can cause the server to allocate a large amount of memory and spin the thread.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Information Disclosure", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread.html/rf7f86917f42fdaf904d99560cba0c016e03baea6244c47efeb60ecbe%40%3Cdev.trafficserver.apache.org%3E", refsource: "CONFIRM", url: "https://lists.apache.org/thread.html/rf7f86917f42fdaf904d99560cba0c016e03baea6244c47efeb60ecbe%40%3Cdev.trafficserver.apache.org%3E", }, { name: "DSA-4710", refsource: "DEBIAN", url: "https://www.debian.org/security/2020/dsa-4710", }, { name: "[oss-security] 20210301 CVE-2021-25329: Apache Tomcat Incomplete fix for CVE-2020-9484", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2021/03/01/2", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2020-9494", datePublished: "2020-06-24T15:25:57", dateReserved: "2020-03-01T00:00:00", dateUpdated: "2024-08-04T10:34:37.925Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2018-8022 (GCVE-0-2018-8022)
Vulnerability from cvelistv5
Published
2018-08-29 13:00
Modified
2024-09-16 21:57
Severity ?
EPSS score ?
Summary
A carefully crafted invalid TLS handshake can cause Apache Traffic Server (ATS) to segfault. This affects version 6.2.2. To resolve this issue users running 6.2.2 should upgrade to 6.2.3 or later versions.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/ce404d2fe16cc59085ece5a6236ccd1549def471a2a9508198d966b1%40%3Cusers.trafficserver.apache.org%3E | mailing-list, x_refsource_MLIST | |
| http://www.securityfocus.com/bid/105183 | vdb-entry, x_refsource_BID | |
| https://github.com/apache/trafficserver/pull/2147 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 6.2.2 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T06:46:11.570Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "[trafficserver-users] 20180828 [ANNOUNCE] Apache Traffic Server vulnerability with an invalid TLS handshake - CVE-2018-8022", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ce404d2fe16cc59085ece5a6236ccd1549def471a2a9508198d966b1%40%3Cusers.trafficserver.apache.org%3E", }, { name: "105183", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/105183", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/apache/trafficserver/pull/2147", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "6.2.2", }, ], }, ], datePublic: "2018-08-28T00:00:00", descriptions: [ { lang: "en", value: "A carefully crafted invalid TLS handshake can cause Apache Traffic Server (ATS) to segfault. This affects version 6.2.2. To resolve this issue users running 6.2.2 should upgrade to 6.2.3 or later versions.", }, ], problemTypes: [ { descriptions: [ { description: "Information Disclosure", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-09-01T09:57:01", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { name: "[trafficserver-users] 20180828 [ANNOUNCE] Apache Traffic Server vulnerability with an invalid TLS handshake - CVE-2018-8022", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ce404d2fe16cc59085ece5a6236ccd1549def471a2a9508198d966b1%40%3Cusers.trafficserver.apache.org%3E", }, { name: "105183", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/105183", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/apache/trafficserver/pull/2147", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", DATE_PUBLIC: "2018-08-28T00:00:00", ID: "CVE-2018-8022", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Traffic Server", version: { version_data: [ { version_value: "6.2.2", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A carefully crafted invalid TLS handshake can cause Apache Traffic Server (ATS) to segfault. This affects version 6.2.2. To resolve this issue users running 6.2.2 should upgrade to 6.2.3 or later versions.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Information Disclosure", }, ], }, ], }, references: { reference_data: [ { name: "[trafficserver-users] 20180828 [ANNOUNCE] Apache Traffic Server vulnerability with an invalid TLS handshake - CVE-2018-8022", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ce404d2fe16cc59085ece5a6236ccd1549def471a2a9508198d966b1@%3Cusers.trafficserver.apache.org%3E", }, { name: "105183", refsource: "BID", url: "http://www.securityfocus.com/bid/105183", }, { name: "https://github.com/apache/trafficserver/pull/2147", refsource: "CONFIRM", url: "https://github.com/apache/trafficserver/pull/2147", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2018-8022", datePublished: "2018-08-29T13:00:00Z", dateReserved: "2018-03-09T00:00:00", dateUpdated: "2024-09-16T21:57:30.534Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2018-8004 (GCVE-0-2018-8004)
Vulnerability from cvelistv5
Published
2018-08-29 13:00
Modified
2024-09-16 18:29
Severity ?
EPSS score ?
Summary
There are multiple HTTP smuggling and cache poisoning issues when clients making malicious requests interact with Apache Traffic Server (ATS). This affects versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/apache/trafficserver/pull/3201 | x_refsource_CONFIRM | |
| https://github.com/apache/trafficserver/pull/3251 | x_refsource_CONFIRM | |
| https://github.com/apache/trafficserver/pull/3192 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/105192 | vdb-entry, x_refsource_BID | |
| https://www.debian.org/security/2018/dsa-4282 | vendor-advisory, x_refsource_DEBIAN | |
| https://lists.apache.org/thread.html/7df882eb09029a4460768a61f88a30c9c30c9dc88e9bcc6e19ba24d5%40%3Cusers.trafficserver.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://github.com/apache/trafficserver/pull/3231 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Traffic Server |
Version: 6.0.0 to 6.2.2 Version: 7.0.0 to 7.1.3 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T06:37:59.651Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/apache/trafficserver/pull/3201", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/apache/trafficserver/pull/3251", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/apache/trafficserver/pull/3192", }, { name: "105192", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/105192", }, { name: "DSA-4282", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2018/dsa-4282", }, { name: "[trafficserver-users] 20180828 [ANNOUNCE] Apache Traffic Server vulnerability with multiple HTTP smuggling and cache poisoning attacks - CVE-2018-8004", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/7df882eb09029a4460768a61f88a30c9c30c9dc88e9bcc6e19ba24d5%40%3Cusers.trafficserver.apache.org%3E", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/apache/trafficserver/pull/3231", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Traffic Server", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "6.0.0 to 6.2.2", }, { status: "affected", version: "7.0.0 to 7.1.3", }, ], }, ], datePublic: "2018-08-28T00:00:00", descriptions: [ { lang: "en", value: "There are multiple HTTP smuggling and cache poisoning issues when clients making malicious requests interact with Apache Traffic Server (ATS). This affects versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.", }, ], problemTypes: [ { descriptions: [ { description: "Information Disclosure", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-09-02T09:57:01", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/apache/trafficserver/pull/3201", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/apache/trafficserver/pull/3251", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/apache/trafficserver/pull/3192", }, { name: "105192", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/105192", }, { name: "DSA-4282", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2018/dsa-4282", }, { name: "[trafficserver-users] 20180828 [ANNOUNCE] Apache Traffic Server vulnerability with multiple HTTP smuggling and cache poisoning attacks - CVE-2018-8004", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/7df882eb09029a4460768a61f88a30c9c30c9dc88e9bcc6e19ba24d5%40%3Cusers.trafficserver.apache.org%3E", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/apache/trafficserver/pull/3231", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", DATE_PUBLIC: "2018-08-28T00:00:00", ID: "CVE-2018-8004", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Traffic Server", version: { version_data: [ { version_value: "6.0.0 to 6.2.2", }, { version_value: "7.0.0 to 7.1.3", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "There are multiple HTTP smuggling and cache poisoning issues when clients making malicious requests interact with Apache Traffic Server (ATS). This affects versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Information Disclosure", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/apache/trafficserver/pull/3201", refsource: "CONFIRM", url: "https://github.com/apache/trafficserver/pull/3201", }, { name: "https://github.com/apache/trafficserver/pull/3251", refsource: "CONFIRM", url: "https://github.com/apache/trafficserver/pull/3251", }, { name: "https://github.com/apache/trafficserver/pull/3192", refsource: "CONFIRM", url: "https://github.com/apache/trafficserver/pull/3192", }, { name: "105192", refsource: "BID", url: "http://www.securityfocus.com/bid/105192", }, { name: "DSA-4282", refsource: "DEBIAN", url: "https://www.debian.org/security/2018/dsa-4282", }, { name: "[trafficserver-users] 20180828 [ANNOUNCE] Apache Traffic Server vulnerability with multiple HTTP smuggling and cache poisoning attacks - CVE-2018-8004", refsource: "MLIST", url: "https://lists.apache.org/thread.html/7df882eb09029a4460768a61f88a30c9c30c9dc88e9bcc6e19ba24d5@%3Cusers.trafficserver.apache.org%3E", }, { name: "https://github.com/apache/trafficserver/pull/3231", refsource: "CONFIRM", url: "https://github.com/apache/trafficserver/pull/3231", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2018-8004", datePublished: "2018-08-29T13:00:00Z", dateReserved: "2018-03-09T00:00:00", dateUpdated: "2024-09-16T18:29:48.650Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }