82 matches found
CVE-2019-9513
CVE-2019-9513 (and related HTTP/2 CVEs) affect nginx and nghttp2. The issues enable denial of service via HTTP/2 resource loops and priority/window manipulation, causing high CPU/memory usage. nginx 1.16.x and nghttp2 are specifically named in advisories; remediation is upgrading to fixed package...
CVE-2024-31309
CVE-2024-31309 affects Apache Traffic Server (ATS) HTTP/2 CONTINUATION handling. A DoS can occur due to CONTINUATION frame floods, impacting ATS 8.0.0–8.1.9 and 9.0.0–9.2.3. Upstream fixes are in 8.1.10 and 9.2.4. Practical mitigation includes setting proxy.config.http2.max_continuation_frames_pe...
CVE-2019-9517
CVE-2019-9517 describes an attack against some HTTP/2 implementations where unconstrained internal data buffering can cause a denial of service. The vulnerability arises when an attacker floods a connection with a large number of requests for a large response object while manipulating HTTP/2 flow...
CVE-2023-44487
CVE-2023-44487 – HTTP/2 Rapid Reset DoS Root cause: HTTP/2 stream resets can cause servers to continue processing, leading to unbounded resource consumption and potential DoS when clients rapidly cancel streams. What’s affected: Various HTTP/2 implementations and deployments, including servers, p...
CVE-2019-9511
CVE-2019-9511 is an HTTP/2 denial-of-service issue observed in multiple products where an attacker manipulates HTTP/2 window size and stream prioritization to force queuing of data in 1-byte chunks, potentially exhausting CPU/memory. Connected advisories confirm affected components include nginx ...
CVE-2019-9516
CVE-2019-9516 is an HTTP/2 header leak vulnerability affecting nginx and several Linux distributions. The issue occurs when an attacker sends streams with 0-length header names and values (optionally Huffman encoded), causing nginx to allocate memory for headers that may be kept until the session...
CVE-2019-9514
CVE-2019-9514 corresponds to an HTTP/2 vulnerability where an attacker floods a peer by sending HEADERS frames, causing unbounded memory growth and potential DoS. Public details in connected advisories show affected stacks include Go HTTP/2 implementations and Go-based tools, with remediation via...
CVE-2019-9512
CVE-2019-9512 is a HTTP/2 denial-of-service issue caused by ping floods that can trigger unbounded memory/CPU growth. Connected advisories confirm concrete remediation paths across environments: for Go-based HTTP/2 stacks, upgrading Go to 1.12.8 or newer (addresses CVE-2019-9512/9514 and related ...
CVE-2019-9518
CVE-2019-9518 describes a denial-of-service risk in HTTP/2 where a flood of frames with empty payloads (DATA, HEADERS, CONTINUATION, PUSH_PROMISE) and no end-of-stream flag can exhaust CPU and memory. Connected docs confirm concrete mentions across multiple ecosystems: Cloud Foundry products (emp...
CVE-2019-9515
CVE-2019-9515 concerns an HTTP/2 settings flood that can cause memory/CPU exhaustion. Arista’s security advisory (Security Advisory 0043) states the vulnerability is in Go’s gRPC HTTP/2 usage and can affect TerminAttr, OpenConfig, CVP, and certain Wi‑Fi OpenConfig-enabled components when enabled....
CVE-2024-53868
Apache Traffic Server is affected by CVE-2024-53868: request smuggling when chunked messages are malformed. Affected versions are 9.2.0–9.2.9 and 10.0.0–10.0.4. The issue is mitigated by upgrading to 9.2.10 or 10.0.5, which contain the fix. Impact is described as high (I), with no confidentiality...
CVE-2020-9494
CVE-2020-9494 affects Apache Tomcat across multiple branches and versions: 7.0.0–7.0.107, 8.5.0–8.5.61, 9.0.0-M1–9.0.41, and 10.0.0-M1–10.0.0. The issue stems from handling of HTTP/2 HEADERS frames that can cause excessive memory allocation and thread spinning. Connected advisories note the fix f...
CVE-2021-44040
CVE-2021-44040 affects Apache Traffic Server, with improper input validation in request line parsing allowing attackers to send invalid requests. Affected versions: 8.0.0–8.1.3 and 9.0.0–9.1.1. Severity is reflected as high in 3.1 metrics. Mitigation: remediation exists via vendor/debian advisori...
CVE-2018-8004
CVE-2018-8004 affects Apache Traffic Server (ATS) and is due to HTTP smuggling and cache‑poisoning issues. The vulnerability impacts ATS versions 6.0.0–6.2.2 and 7.0.0–7.1.3, with fixed releases 6.2.3+ and 7.1.4+ recommended. Public sources describe multiple parsing flaws (e.g., header parsing in...
CVE-2023-33934
CVE-2023-33934 describes an Improper Input Validation vulnerability in the Apache Traffic Server. Affected software includes Traffic Server up to version 9.2.1 . Debian advisories indicate the issue is addressed in newer packages (e.g., Debian bookworm: 9.2.3+ds-1+deb12u1; Debian bullseye: 8.1.9+...
CVE-2023-39456
CVE-2023-39456 affects Apache Traffic Server (ATS) before version 9.2.3. The issue is an improper input validation vulnerability triggered by malformed HTTP/2 frames, impacting ATS releases 9.0.0 through 9.2.2. Upgrading to ATS 9.2.3 is recommended and fixes the issue. The CVSS base metrics quote...
CVE-2019-10079
Apache Traffic Server (ATS) is vulnerable to HTTP/2 setting flood attacks due to not limiting the number of HTTP/2 setting frames from a client. Affected versions include older ATS releases; remediation is to upgrade to 7.1.7, 8.0.4, or later. The provided documents describe a denial-of-service r...
CVE-2020-9481
Apache Traffic Server (ATS) is affected by CVE-2020-9481. Versions 6.0.0–6.2.3, 7.0.0–7.1.9, and 8.0.0–8.0.6 are vulnerable to a HTTP/2 slow read attack, which can lead to denial of service (and is described in multiple sources as affecting ATS). The vulnerability stems from HTTP/2 handling in AT...
CVE-2023-41752
CVE-2023-41752 affects Apache Traffic Server with exposure of sensitive information to an unauthorized actor. Affected versions are 8.0.0–8.1.8 and 9.0.0–9.2.2. Upgrading to 8.1.9 or 9.2.3 is the recommended fix. The vulnerability is described as an information disclosure issue, with a HIGH sever...
CVE-2022-47185
CVE-2022-47185 affects Apache Traffic Server up to version 9.2.1, due to an improper input validation vulnerability in the range header. Several connected sources confirm fixes in later releases: Debian security updates fix to 9.2.3+ds-1+deb12u1 (Debian DSA-5549‑1 / DLA-3595-1) and OSV entries do...
CVE-2021-44759
CVE-2021-44759 affects Apache Traffic Server 8.0.0–8.1.0. The root cause is improper authentication in the TLS origin validation, enabling a man-in-the-middle attack. Impact is partial confidentiality, integrity, and availability. Publicly documented references indicate MITM risk via TLS origin v...
CVE-2019-17559
Apache Traffic Server (ATS) versions affected: 6.0.0–6.2.3, 7.0.0–7.1.8, and 8.0.0–8.0.5. The vulnerability involves a smuggling attack and issues with scheme parsing. Upgrading to ATS 7.1.9 or later or 8.0.6 or later addresses the flaw. References indicate this is a documented vulnerability with...
CVE-2020-1944
CVE-2020-1944 affects Apache Traffic Server (versions 6.0.0–6.2.3, 7.0.0–7.1.8, 8.0.0–8.0.5). The vulnerability is a smuggling attack involving Transfer-Encoding and Content-Length headers. The issue is severe: CVSSv3.1 base score 9.8 (CRITICAL) with network attack vector, no authentication, and ...
CVE-2021-27737
CVE-2021-27737 affects Apache Traffic Server 9.0.0, where the remote denial of service is triggered via the experimental Slicer plugin. The CVSS data indicate a high impact on availability (CVSS-3.1 base score 7.5). Connected documents confirm the vulnerable variant and suggest upgrading to 9.0.1...
CVE-2023-38522
Summary (CVE-2023-38522) : Apache Traffic Server is affected by an incomplete validation of HTTP field names, allowing malformed requests to be forwarded to origin servers. This can enable request smuggling and potentially cache poisoning if the origin is vulnerable. Affected versions include 8.0...
CVE-2021-35474
CVE-2021-35474 is a stack-based buffer overflow in the cachekey plugin of Apache Traffic Server, affecting ATS versions 7.0.0–7.1.12, 8.0.0–8.1.1, and 9.0.0–9.0.1. The Connected documents confirm the vulnerability and list affected versions; Debian's advisory DSA-4957-1 notes a fix in Debian for ...
CVE-2020-17508
The CVE-2020-17508 entry concerns Apache Traffic Server’s ATS ESI plugin, with a memory disclosure vulnerability. Affected are ATS/Plugin versions: 7.0.0–7.1.11 and 8.0.0–8.1.0. The available data state that upgrading the plugin is required; no additional exploit details, affected file paths, or ...
CVE-2018-11783
CVE-2018-11783 affects the Apache Traffic Server sslheaders plugin. The plugin “extracts information from the client certificate and sets headers in the request based on the configuration,” and in some scenarios does not strip those headers from the request. This creates information exposure as h...
CVE-2022-40743
CVE-2022-40743 affects Apache Traffic Server (AS) 9.0.0–9.1.3, via an Improper Input Validation vulnerability in the xdebug plugin, leading to cross-site scripting and cache-poisoning . The issue is fixed by upgrading to Traffic Server 9.1.4 or later. The connected OSV entries corroborate the sam...
CVE-2019-17565
CVE-2019-17565 affects Apache Traffic Server. Affected versions include 6.0.0–6.2.3, 7.0.0–7.1.8, and 8.0.0–8.0.5, with a smuggling attack via chunked encoding. Remediation per sources: upgrade to 7.1.9 or 8.0.6 or later. The vulnerability exists in ATS’s handling of HTTP requests and could allow...
CVE-2021-27577
The CVE-2021-27577 issue affects Apache Traffic Server (ATS) and is caused by incorrect handling of URL fragments, enabling cache poisoning. Affected versions include ATS 7.0.0–7.1.12, 8.0.0–8.1.1, and 9.0.0–9.0.1. Impact is cache poisoning with potential denial of service implications depending ...
CVE-2021-43082
CVE-2021-43082 affects Apache Traffic Server 9.1.0 via the stats-over-http plugin. Description: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability that allows an attacker to overwrite memory. Documented references confirm the issue and its association with ATS 9....
CVE-2021-32566
Apache Traffic Server is affected by CVE-2021-32566 (Improper Input Validation in HTTP/2) which can lead to denial of service. The vulnerability affects ATS versions 7.0.0–7.1.12, 8.0.0–8.1.1, and 9.0.0–9.0.1. Evidence from multiple sources confirms the issue and its impact on availability (NVD C...
CVE-2021-37147
CVE-2021-37147 affects Apache Traffic Server: improper input validation in header parsing allows HTTP request smuggling. Affected versions are 8.0.0–8.1.2 and 9.0.0–9.1.0. Public sources describe risk of request smuggling and potential MITM. Patches/updates exist in Debian advisories (e.g., Bulls...
CVE-2021-32565
Apache Traffic Server is affected by CVE-2021-32565 due to invalid values in the Content-Length header, enabling HTTP request smuggling. Affected releases: 7.0.0–7.1.12, 8.0.0–8.1.1, and 9.0.0–9.0.1. The issue’s root cause is improper handling of Content-Length values. Debian/DSA-4957-1 notes a f...
CVE-2021-32567
CVE-2021-32567 is an HTTP/2 input-validation vulnerability in Apache Traffic Server that can cause denial of service. Affected are ATS versions 7.0.0–7.1.12, 8.0.0–8.1.1, and 9.0.0–9.0.1. The core issue is improper input validation in HTTP/2 handling, leading to server DOS conditions. The connect...
CVE-2024-50305
Apache Traffic Server (affected: 9.2.0–9.2.5) contains CVE-2024-50305 due to a flaw with the Valid Host header field that can cause a crash on some platforms. The issue is addressed by upgrading to 9.2.6 or 10.0.2 (which does not have the issue). If present, also consider broader advisories acros...
CVE-2014-3624
CVE-2014-3624 affects Apache Traffic Server (ATS) 5.1.x before 5.1.1 . The issue is a failure to properly tunnel remap requests using CONNECT , allowing remote attackers to bypass access restrictions. Root cause described as improper handling of CONNECT tunneling for remap requests. Impact is byp...
CVE-2022-25763
CVE-2022-25763 affects Apache Traffic Server 8.0.0–9.1.2 due to improper HTTP/2 request validation, enabling potential smuggle or cache-poison attacks. The initial document lists CVSS metrics (base 7.5/ HIGH) and impact as I:H, with no exploitation status provided. Remediation references exist in...
CVE-2022-31778
CVE-2022-31778 involves an ** Improper Input Validation** vulnerability in Apache Traffic Server’s handling of the Transfer-Encoding header, allowing an attacker to poison the cache. Affected products/versions: Apache Traffic Server 8.0.0–9.0.2 . Root cause (as stated): improper input validation ...
CVE-2023-30631
Apache Traffic Server (ATS) CVE-2023-30631: Improper input validation in the configuration option proxy.config.http.push_method_enabled caused the PUSH method handling to behave unexpectedly, potentially bypassing intended blocks. Affects ATS releases 8.0.0 through 9.2.0. Mitigation: upgrade to 8...
CVE-2024-35161
CVE-2024-35161 affects Apache Traffic Server. Versions 8.0.0–8.1.10 and 9.0.0–9.2.4 forward malformed HTTP chunked trailer sections to origin servers, enabling potential request smuggling and, if the origin is vulnerable, cache poisoning. Debian and Tenable advisories confirm multiple vendors iss...
CVE-2020-17509
CVE-2020-17509 affects Apache Traffic Server (ATS) where the negative cache option is vulnerable to cache poisoning. Affected versions are ATS 7.0.0–7.1.11 and 8.0.0–8.1.0. The underlying issue is linked to the negative cache option enabling a cache poisoning attack; if this option is enabled, up...
CVE-2018-1318
CVE-2018-1318 affects Apache Traffic Server. The issue arises when adding method ACLs in remap.config, which can cause a segmentation fault under crafted requests. Vulnerable ATS versions: 6.0.0–6.2.2 and 7.0.0–7.1.3. Impact described as a segfault when handling certain inputs; no exploit details...
CVE-2024-35296
Apache Traffic Server (versions 8.0.0–8.1.10 and 9.0.0–9.2.4) is affected by CVE-2024-35296 due to incorrect handling of the Accept-Encoding header, which can cause cache lookups to fail and lead to forwarding requests. The issue is resolved by upgrading to 8.1.11 or 9.2.5. Certified advisories f...
CVE-2024-38479
CVE-2024-38479 affects Apache Traffic Server. Affected: versions 8.0.0–8.1.11 and 9.0.0–9.2.5. Root cause: improper input validation, which can lead to cache poisoning. Impact: potential denial of service or integrity issues without user interaction. Per the bulletin, upgrade to 9.2.6 or 10.0.2 t...
CVE-2022-31780
CVE-2022-31780 affects Apache Traffic Server (8.0.0–9.1.2) with an improper input validation in HTTP/2 frame handling that can allow request smuggling. Connected advisories confirm fixes: Debian DLA-3279 (trafficserver 8.0.2+ds-1+deb10u7) and Fedora updates (trafficserver 9.1.3-1.fc36/1.fc35). Op...
CVE-2023-33933
Apache Traffic Server (OSS reverse/forward proxy) is affected by CVE-2023-33933, impacting versions 8.0.0 through 9.2.0. The issue is described as Exposure of Sensitive Information to an Unauthorized Actor, with impact confined to confidentiality (C: High, I: None, A: None) and no user interactio...
CVE-2024-38311
CVE-2024-38311 describes an Improper Input Validation vulnerability in Apache Traffic Server. Affected versions include 8.0.0–8.1.11, 9.0.0–9.2.8, and 10.0.0–10.0.3. Debian and OpenVAS/Nessus advisories route mitigations to upgrade to 9.2.9 or 10.0.4 . The Debian advisory also notes potential imp...
CVE-2021-37150
CVE-2021-37150 affects Apache Traffic Server 8.0.0–9.1.2. It is due to improper input validation in header parsing, allowing an attacker to request secure resources. The issue is rated HIGH (CVSS/CA: HIGH; I/N/A impacts as documented). Remediation shown in connected advisories: upgrade to newer T...