Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable.
This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.
Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.
Metrics
Affected Vendors & Products
References
History
Mon, 09 Sep 2024 19:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Weaknesses | CWE-20 |
Tue, 03 Sep 2024 17:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Weaknesses | CWE-20 | |
References |
| |
Metrics |
threat_severity
|
threat_severity
|
Tue, 13 Aug 2024 09:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Weaknesses | CWE-20 |
Mon, 12 Aug 2024 14:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Apache
Apache traffic Server |
|
Weaknesses | CWE-444 | |
CPEs | cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:* | |
Vendors & Products |
Apache
Apache traffic Server |
MITRE
Status: PUBLISHED
Assigner: apache
Published: 2024-07-26T09:11:20.419Z
Updated: 2024-08-13T08:46:42.693Z
Reserved: 2023-07-18T19:58:23.902Z
Link: CVE-2023-38522
Vulnrichment
Updated: 2024-08-02T17:46:55.187Z
NVD
Status : Modified
Published: 2024-07-26T10:15:01.923
Modified: 2024-11-21T08:13:45.093
Link: CVE-2023-38522
Redhat