CVE-2021-32567 – Reading HTTP/2 frames too many times
https://notcve.org/view.php?id=CVE-2021-32567
Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1. Una vulnerabilidad de comprobación inapropiada de entrada en HTTP/2 de Apache Traffic Server, permite a un atacante realizar un DOS en el servidor. Este problema afecta a Apache Traffic Server versiones 7.0.0 hasta 7.1.12, versiones 8.0.0 hasta 8.1.1, versiones 9.0.0 hasta 9.0.1 • https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cusers.trafficserver.apache.org%3E https://www.debian.org/security/2021/dsa-4957 • CWE-20: Improper Input Validation •
CVE-2021-32566 – Specific sequence of HTTP/2 frames can cause ATS to crash
https://notcve.org/view.php?id=CVE-2021-32566
Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1. Una vulnerabilidad de comprobación inapropiada de entrada en HTTP/2 de Apache Traffic Server, permite a un atacante realizar un DOS en el servidor. Este problema afecta a Apache Traffic Server versiones 7.0.0 hasta 7.1.12, versiones 8.0.0 hasta 8.1.1, versiones 9.0.0 hasta 9.0.1 • https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cusers.trafficserver.apache.org%3E https://www.debian.org/security/2021/dsa-4957 • CWE-20: Improper Input Validation •
CVE-2021-32565 – HTTP Request Smuggling, content length with invalid charters
https://notcve.org/view.php?id=CVE-2021-32565
Invalid values in the Content-Length header sent to Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1. Unos valores no válidos en la cabecera Content-Length enviada a Apache Traffic Server, permiten a un atacante contrabandear peticiones. Este problema afecta a Apache Traffic Server versiones 7.0.0 hasta 7.1.12, versiones 8.0.0 hasta 8.1.1, versiones 9.0.0 hasta 9.0.1 • https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cusers.trafficserver.apache.org%3E https://www.debian.org/security/2021/dsa-4957 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVE-2021-27577 – Incorrect handling of url fragment leads to cache poisoning
https://notcve.org/view.php?id=CVE-2021-27577
Incorrect handling of url fragment vulnerability of Apache Traffic Server allows an attacker to poison the cache. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1. Una vulnerabilidad de manejo incorrecto de fragmentos de url de Apache Traffic Server, permite a un atacante envenenar la caché. Este problema afecta a Apache Traffic Server versiones 7.0.0 hasta 7.1.12, versiones 8.0.0 hasta 8.1.1, versiones 9.0.0 hasta 9.0.1 • https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cusers.trafficserver.apache.org%3E https://www.debian.org/security/2021/dsa-4957 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVE-2020-17508
https://notcve.org/view.php?id=CVE-2020-17508
The ATS ESI plugin has a memory disclosure vulnerability. If you are running the plugin please upgrade. Apache Traffic Server versions 7.0.0 to 7.1.11 and 8.0.0 to 8.1.0 are affected. El plugin ESI en Apache Traffic Server versiones 6.0.0 hasta 6.2.3, versiones 7.0.0 hasta 7.1.11 y versiones 8.0.0 hasta 8.1.0, presenta una vulnerabilidad de divulgación de la memoria. Si está ejecutando el plugin, favor actualice a versión 7.1.12 o 8.1.1 o posterior • https://lists.apache.org/thread.html/r65434f7acca3aebf81b0588587149c893fe9f8f9f159eaa7364a70ff%40%3Cannounce.trafficserver.apache.org%3E •