NotCVE - vendor:"Apache Software Foundation" product:"Apache Traffic Server" version:" >= 9.0.0 <= 9.2.5"

Page 2 of 7 results (0.004 seconds)

CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0

CVE-2024-35161 – Apache Traffic Server: Incomplete check for chunked trailer section allows request smuggling

https://notcve.org/view.php?id=CVE-2024-35161

Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users can set a new setting (proxy.config.http.drop_chunked_trailers) not to forward chunked trailer section. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue. • https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0 • CWE-20: Improper Input Validation CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1

CVE-2024-31309 – Apache Traffic Server: HTTP/2 CONTINUATION frames can be utilized for DoS attack

https://notcve.org/view.php?id=CVE-2024-31309

HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server. Version from 8.0.0 through 8.1.9, from 9.0.0 through 9.2.3 are affected. Users can set a new setting (proxy.config.http2.max_continuation_frames_per_minute) to limit the number of CONTINUATION frames per minute. ATS does have a fixed amount of memory a request can use and ATS adheres to these limits in previous releases. Users are recommended to upgrade to versions 8.1.10 or 9.2.4 which fixes the issue. Un ataque de HTTP/2 CONTINUATION DoS puede hacer que Apache Traffic Server consuma más recursos en el servidor. Las versiones de 8.0.0 a 8.1.9 y de 9.0.0 a 9.2.3 se ven afectadas. • https://github.com/lockness-Ko/CVE-2024-27316 http://www.openwall.com/lists/oss-security/2024/04/03/16 http://www.openwall.com/lists/oss-security/2024/04/10/7 https://lists.apache.org/thread/f9qh3g3jvy153wh82pz4onrfj1wh13kc https://lists.debian.org/debian-lts-announce/2024/04/msg00021.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PBKLPQ6ECG4PGEPRCYI3Y3OITNDEFCCV https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message • CWE-20: Improper Input Validation •

1 2