69 results (0.003 seconds)

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0

CVE-2023-38522 – Apache Traffic Server: Incomplete field name check allows request smuggling

https://notcve.org/view.php?id=CVE-2023-38522

Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue. • https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0 • CWE-20: Improper Input Validation CWE-86: Improper Neutralization of Invalid Characters in Identifiers in Web Pages CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •

CVSS: -EPSS: 0%CPEs: 2EXPL: 0

CVE-2024-35296 – Apache Traffic Server: Invalid Accept-Encoding can force forwarding requests

https://notcve.org/view.php?id=CVE-2024-35296

Invalid Accept-Encoding header can cause Apache Traffic Server to fail cache lookup and force forwarding requests. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue. • https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0 • CWE-20: Improper Input Validation •

CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0

CVE-2024-35161 – Apache Traffic Server: Incomplete check for chunked trailer section allows request smuggling

https://notcve.org/view.php?id=CVE-2024-35161

Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users can set a new setting (proxy.config.http.drop_chunked_trailers) not to forward chunked trailer section. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue. • https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0 • CWE-20: Improper Input Validation CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •

CVSS: -EPSS: 0%CPEs: 2EXPL: 1

CVE-2024-31309 – Apache Traffic Server: HTTP/2 CONTINUATION frames can be utilized for DoS attack

https://notcve.org/view.php?id=CVE-2024-31309

HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server.  Version from 8.0.0 through 8.1.9, from 9.0.0 through 9.2.3 are affected. Users can set a new setting (proxy.config.http2.max_continuation_frames_per_minute) to limit the number of CONTINUATION frames per minute.  ATS does have a fixed amount of memory a request can use and ATS adheres to these limits in previous releases. Users are recommended to upgrade to versions 8.1.10 or 9.2.4 which fixes the issue. Un ataque de HTTP/2 CONTINUATION DoS puede hacer que Apache Traffic Server consuma más recursos en el servidor. Las versiones de 8.0.0 a 8.1.9 y de 9.0.0 a 9.2.3 se ven afectadas. • https://github.com/lockness-Ko/CVE-2024-27316 http://www.openwall.com/lists/oss-security/2024/04/03/16 http://www.openwall.com/lists/oss-security/2024/04/10/7 https://lists.apache.org/thread/f9qh3g3jvy153wh82pz4onrfj1wh13kc https://lists.debian.org/debian-lts-announce/2024/04/msg00021.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PBKLPQ6ECG4PGEPRCYI3Y3OITNDEFCCV https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message • CWE-20: Improper Input Validation •

CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0

CVE-2023-39456 – Apache Traffic Server: Malformed http/2 frames can cause an abort

https://notcve.org/view.php?id=CVE-2023-39456

Improper Input Validation vulnerability in Apache Traffic Server with malformed HTTP/2 frames.This issue affects Apache Traffic Server: from 9.0.0 through 9.2.2. Users are recommended to upgrade to version 9.2.3, which fixes the issue. Vulnerabilidad de validación de entrada incorrecta en Apache Traffic Server con frames HTTP/2 con formato incorrecto. Este problema afecta a Apache Traffic Server: desde 9.0.0 hasta 9.2.2. Se recomienda a los usuarios actualizar a la versión 9.2.3, que soluciona el problema. • https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3 https://www.debian.org/security/2023/dsa-5549 • CWE-20: Improper Input Validation •