NotCVE - vendor:"Apache Software Foundation" product:"Apache Traffic Server" version:" >= 9.0.0 <= 9.2.3"

4 results (0.003 seconds)

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0

CVE-2023-38522 – Apache Traffic Server: Incomplete field name check allows request smuggling

https://notcve.org/view.php?id=CVE-2023-38522

Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue. • https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0 • CWE-20: Improper Input Validation CWE-86: Improper Neutralization of Invalid Characters in Identifiers in Web Pages CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •

CVSS: -EPSS: 0%CPEs: 2EXPL: 0

CVE-2024-35296 – Apache Traffic Server: Invalid Accept-Encoding can force forwarding requests

https://notcve.org/view.php?id=CVE-2024-35296

Invalid Accept-Encoding header can cause Apache Traffic Server to fail cache lookup and force forwarding requests. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue. • https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0 • CWE-20: Improper Input Validation •

CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0

CVE-2024-35161 – Apache Traffic Server: Incomplete check for chunked trailer section allows request smuggling

https://notcve.org/view.php?id=CVE-2024-35161

Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users can set a new setting (proxy.config.http.drop_chunked_trailers) not to forward chunked trailer section. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue. • https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0 • CWE-20: Improper Input Validation CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •

CVSS: -EPSS: 0%CPEs: 2EXPL: 1

CVE-2024-31309 – Apache Traffic Server: HTTP/2 CONTINUATION frames can be utilized for DoS attack

https://notcve.org/view.php?id=CVE-2024-31309

HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server. Version from 8.0.0 through 8.1.9, from 9.0.0 through 9.2.3 are affected. Users can set a new setting (proxy.config.http2.max_continuation_frames_per_minute) to limit the number of CONTINUATION frames per minute. ATS does have a fixed amount of memory a request can use and ATS adheres to these limits in previous releases. Users are recommended to upgrade to versions 8.1.10 or 9.2.4 which fixes the issue. Un ataque de HTTP/2 CONTINUATION DoS puede hacer que Apache Traffic Server consuma más recursos en el servidor. Las versiones de 8.0.0 a 8.1.9 y de 9.0.0 a 9.2.3 se ven afectadas. • https://github.com/lockness-Ko/CVE-2024-27316 http://www.openwall.com/lists/oss-security/2024/04/03/16 http://www.openwall.com/lists/oss-security/2024/04/10/7 https://lists.apache.org/thread/f9qh3g3jvy153wh82pz4onrfj1wh13kc https://lists.debian.org/debian-lts-announce/2024/04/msg00021.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PBKLPQ6ECG4PGEPRCYI3Y3OITNDEFCCV https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message • CWE-20: Improper Input Validation •