Lucene search

[email protected]NVD:CVE-2024-35161

HistoryJul 26, 2024 - 10:15 a.m.

CVE-2024-35161

2024-07-2610:15:02

CWE-444

[email protected]

web.nvd.nist.gov

apache traffic server

http chunked trailer

request smuggling

cache poisoning

upgrade

cve-2024-35161

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.002

Percentile

55.7%

JSON

Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable.

This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.

Users can set a new setting (proxy.config.http.drop_chunked_trailers) not to forward chunked trailer section.
Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.

Affected configurations

Nvd

Node

apachetraffic_serverRange8.0.0–8.1.11

apachetraffic_serverRange9.0.0–9.2.5

VendorProductVersionCPE
apachetraffic_server*cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	traffic_server	*	cpe:2.3:a:apache:traffic_server::::::::

References

lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.002

Percentile

55.7%

JSON

Related for NVD:CVE-2024-35161

osv2 ubuntucve1 cvelist1 redhatcve1 debiancve1 vulnrichment1 cve1 nessus4 openvas3 fedora2