9 results (0.002 seconds)

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0

Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier versions of Apache Traffic Server didn't limit the number of setting frames sent from the client using the HTTP/2 protocol. Users should upgrade to Apache Traffic Server 7.1.7, 8.0.4, or later versions. Apache Traffic Server es vulnerable a los ataques de inundación de la configuración HTTP/2. Las versiones anteriores de Apache Traffic Server no limitaban el número de tramas de configuración enviadas desde el cliente utilizando el protocolo HTTP/2. • https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E • CWE-770: Allocation of Resources Without Limits or Throttling •

CVSS: 8.6EPSS: 0%CPEs: 10EXPL: 0

There is a vulnerability in Apache Traffic Server (ATS) 6.2.0 and prior and 7.0.0 and prior with the Host header and line folding. This can have issues when interacting with upstream proxies and the wrong host being used. Hay una vulnerabilidad en Apache Traffic Server (ATS) en versiones 6.2.0 y anteriores y versiones 7.0.0 y anteriores con la cabecera Host y el plegado de líneas. Esto puede provocar problemas al interactuar con proxies ascendentes empleando el host erróneo. • https://lists.apache.org/thread.html/22d84783d94c53a5132ec89f002fe5165c87561a9428bcb6713b3c98%40%3Cdev.trafficserver.apache.org%3E https://www.debian.org/security/2018/dsa-4128 • CWE-20: Improper Input Validation •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

Apache Traffic Server 5.1.x before 5.1.1 allows remote attackers to bypass access restrictions by leveraging failure to properly tunnel remap requests using CONNECT. Apache Traffic Server en versiones 5.1.x anteriores a la 5.1.1 permite que atacantes remotos omitan las restricciones de acceso aprovechando el error a la hora de crear un canal seguro para las peticiones de reasignación empleando CONNECT. • http://mail-archives.apache.org/mod_mbox/www-announce/201411.mbox/%3C20141101231749.2E3561043F%40minotaur.apache.org%3E http://www.securityfocus.com/bid/101630 https://issues.apache.org/jira/browse/TS-2677 • CWE-284: Improper Access Control •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

Apache Traffic Server before 6.2.1 generates a coredump when there is a mismatch between content length and chunked encoding. Apache Traffic Server en versiones anteriores a 6.2.1 genera un volcado de memoria cuando hay una falta de coincidencia entre la longitud del contenido y la codificación en fragmentos. • http://www.securityfocus.com/bid/97949 http://www.securitytracker.com/id/1038275 https://issues.apache.org/jira/browse/TS-4819 • CWE-20: Improper Input Validation •

CVSS: 5.0EPSS: 1%CPEs: 1EXPL: 0

Apache Traffic Server before 5.1.2 allows remote attackers to cause a denial of service via unspecified vectors, related to internal buffer sizing. Apache Traffic Server anterior a 5.1.2 permite a atacantes remotos causar una denegación de servicio a través de vectores no especificados, relacionado con el tamaño de buffers internos. • http://mail-archives.apache.org/mod_mbox/trafficserver-users/201412.mbox/browser http://www.securitytracker.com/id/1031499 https://issues.apache.org/jira/browse/TS-3223 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •