Lucene search

[email protected]NVD:CVE-2023-38522

HistoryJul 26, 2024 - 10:15 a.m.

CVE-2023-38522

2024-07-2610:15:01

CWE-86

CWE-444

[email protected]

web.nvd.nist.gov

apache traffic server

http field names

request smuggling

cache poisoning

cve-2023-38522

upgrade

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.002

Percentile

55.7%

JSON

Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable.

This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.

Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.

Affected configurations

Nvd

Node

apachetraffic_serverRange8.0.0–8.1.11

apachetraffic_serverRange9.0.0–9.2.5

VendorProductVersionCPE
apachetraffic_server*cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	traffic_server	*	cpe:2.3:a:apache:traffic_server::::::::

References

lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.002

Percentile

55.7%

JSON

Related for NVD:CVE-2023-38522

cvelist1 redhatcve1 osv2 vulnrichment1 ubuntucve1 debiancve1 cve1 nessus4 fedora2 openvas3