CVE-2023-38522 Apache Traffic Server: Incomplete field name check allows request smuggling

2024-07-2609:11:20

CWE-444

apache

www.cve.org

apache traffic server

field name check

request smuggling

cve-2023-38522

upgrade

cache poisoning

origin servers

vulnerability

EPSS

0.002

Percentile

55.7%

JSON

Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable.

This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.

Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache Traffic Server",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "8.1.10",
        "status": "affected",
        "version": "8.0.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "9.2.4",
        "status": "affected",
        "version": "9.0.0",
        "versionType": "semver"
      }
    ]
  }
]