82 matches found
CVE-2018-8005
CVE-2018-8005 affects Apache Traffic Server (ATS). When a range request contains multiple ranges, ATS reads the entire object from cache, causing potential performance degradation for large cached objects. Affected versions are 6.0.0–6.2.2 and 7.0.0–7.1.3. Mitigation: upgrade to 6.2.3 or later fo...
CVE-2022-28129
Apache Traffic Server versions 8.0.0–9.1.2 are affected by CVE-2022-28129 due to improper input validation in HTTP/1.1 header parsing, allowing an attacker to send invalid headers. Fedora advisories indicate upgrades to 9.1.3 (and 8.0.2+ds-1+deb10u7 for Debian) to fix the issue. CVSSv3 base score...
CVE-2024-50306
CVE-2024-50306 affects Apache Traffic Server. An unchecked return value can allow the process to retain privileges on startup, enabling a potential privilege escalation. Affected versions: 9.2.0–9.2.5 and 10.0.0–10.0.1. The issue is mitigated by upgrading to 9.2.6 or 10.0.2, which contain the fix...
CVE-2023-33933
Apache Traffic Server (OSS reverse/forward proxy) is affected by CVE-2023-33933, impacting versions 8.0.0 through 9.2.0. The issue is described as Exposure of Sensitive Information to an Unauthorized Actor, with impact confined to confidentiality (C: High, I: None, A: None) and no user interactio...
CVE-2021-37150
CVE-2021-37150 affects Apache Traffic Server 8.0.0–9.1.2. It is due to improper input validation in header parsing, allowing an attacker to request secure resources. The issue is rated HIGH (CVSS/CA: HIGH; I/N/A impacts as documented). Remediation shown in connected advisories: upgrade to newer T...
CVE-2021-38161
Apache Traffic Server (ATS) is affected by CVE-2021-38161: an improper TLS origin verification authentication vulnerability in ATS 8.0.0–8.0.8 that enables MITM attacks. The issue is rooted in TLS origin verification, allowing an attacker to intercept or manipulate traffic between clients and ATS...
CVE-2022-31779
CVE-2022-31779 affects Apache Traffic Server, where an improper input validation in HTTP/2 header parsing allows request smuggling. Affected: ATS 8.0.0–9.1.2. Impact: potential inconsistency or compromise via crafted requests (I: HIGH, A: NONE, C: NONE). Mitigation in public advisories: Debian fi...
CVE-2017-5660
CVE-2017-5660 affects Apache Traffic Server (ATS) versions 6.2.0 and earlier and 7.0.0 and earlier due to a Host header/line folding issue that can interact with upstream proxies and cause the wrong host to be used. Several sources describe an input-validation/host-header vulnerability with poten...
CVE-2022-37392
CVE-2022-37392 is an Apache Traffic Server vulnerability described as an improper check for unusual or exceptional conditions in request handling, affecting versions 8.0.0–9.1.2. Public advisories (Debian DSA-5311, DLA-3385) and Nessus plugins state that exploitation could lead to HTTP request sm...
CVE-2024-56195
CVE-2024-56195 is an Improper Access Control vulnerability in Apache Traffic Server. Affected releases: 9.2.0–9.2.8 and 10.0.0–10.0.3. The issue is fixed in 9.2.9 and 10.0.4. Connected documents corroborate multiple advisories for trafficserver and list CVEs including CVE-2024-56195; however, exp...
CVE-2018-8040
CVE-2018-8040 affects Apache Traffic Server (ATS) via the ESI plugin. Pages rendered with ESI can access the cookie header even when access is disallowed, impacting ATS versions 6.0.0–6.2.2 and 7.0.0–7.1.3. The root cause is improper restriction of cookie header access within the ESI plugin, lead...
CVE-2024-56202
CVE-2024-56202 is a vulnerability described as an Expected Behavior Violation in Apache Traffic Server. It affects the following releases: 9.0.0–9.2.8 and 10.0.0–10.0.3. The provided data shows a CVSS v3.1 base score of 4.3 (Medium) with network attack vector, low attack complexity, and privilege...
CVE-2021-37148
CVE-2021-37148 is an improper input validation vulnerability in Apache Traffic Server header parsing allowing HTTP request smuggling. Affected versions: 8.0.0–8.1.2 and 9.0.0–9.0.1. Debian advisories map fixes to 8.0.2+ds-1+deb10u6 and 8.1.1+ds-1.1+deb11u1 (Bullseye/Buster), while OpenVAS/Nessus ...
CVE-2022-32749
CVE-2022-32749 is an Apache Traffic Server vulnerability described as an improper check for unusual or exceptional conditions that can crash the server under certain requests. Affected products span Traffic Server 8.0.0 through 9.1.3. The connected documents indicate that Debian and Fedora adviso...
CVE-2022-47184
CVE-2022-47184 affects Apache Traffic Server, with affected versions 8.0.0–9.2.0. The issue is described as exposure of sensitive information to an unauthorized actor, and Debian/Fedora advisories indicate that the TRACE method can disclose network information. Multiple vendor advisories referenc...
CVE-2012-0256
Apache Traffic Server is affected by CVE-2012-0256 due to a heap memory allocation bug that can be triggered by a long HTTP Host header, enabling a remote attacker to cause a DoS (daemon crash). Affected versions are 2.0.x and 3.0.x before 3.0.4 and 3.1.x before 3.1.3. The issue is a heap-based v...
CVE-2014-3525
CVE-2014-3525 affects Apache Traffic Server 3.x (up to 3.2.5), 4.x before 4.2.1.1, and 5.x before 5.0.1. The connected sources describe an unspecified vulnerability related to synthetic health checks that can lead to DoS. Public details are limited in the provided docs; some entries reference upd...
CVE-2021-41585
This CVE (CVE-2021-41585) affects Apache Traffic Server versions 5.0.0–9.1.0 and is caused by improper input validation in accepting socket connections, enabling an attacker to cause the server to stop accepting new connections. The issue is corroborated across multiple sources (OSV- entries, CNV...
CVE-2015-3249
The CVE-2015-3249 entry concerns Apache Traffic Server (ATS) 5.3.x prior to 5.3.1, where the HTTP/2 experimental feature is vulnerable. The underlying issue affects the frame_handlers array and the set_dynamic_table_size function, enabling remote attackers to cause a denial of service (out-of-bou...
CVE-2021-37149
CVE-2021-37149: Improper input validation in Apache Traffic Server header parsing allows request smuggling. Affected: ATS versions 8.0.0–8.1.2 and 9.0.0–9.1.0. The issue is mitigated by upgrading to patched releases (e.g., 8.1.3 or 9.1.1 per sources). If upgrading is not feasible, refer to vendor...
CVE-2024-56196
CVE-2024-56196 affects Apache Traffic Server versions 10.0.0–10.0.3 with an improper Access Control issue. The vulnerability is documented across multiple sources in the Connected documents, which consistently state the affected product and versions and recommend upgrading to 10.0.4 to fix the is...
CVE-2017-5659
CVE-2017-5659 affects Apache Traffic Server prior to 6.2.1. The vulnerability triggers a coredump when there is a mismatch between content length and chunked encoding. Impact in sources notes crash/denial of service-like behavior (availability impact) with a potential high consequence. The docume...
CVE-2015-5206
Apache Traffic Server: Unspecified vulnerability in the HTTP/2 experimental feature affects 5.3.x before 5.3.2. Root cause and impact are not detailed in the provided descriptions; CVSS metrics indicate high severity with network access. Remediation per connected records is upgrade to 5.3.2 or la...
CVE-2017-7671
CVE-2017-7671 is linked to a TLS handshake DoS in Apache Traffic Server (ATS). The Vulners/EUVD/OpenVAS/Nessus-derived documents confirm: vulnerable ATS versions are 5.2.0–5.3.2, 6.0.0–6.2.0, and 7.0.0, with the issue leading to a server coredump. Public references also show Debian DSAs recommend...
CVE-2014-10022
Apache Traffic Server is affected in versions before 5.1.2. The vulnerability arises from an issue in internal buffer sizing that can allow a remote attacker to cause a denial of service. Affected component is the HTTP handling path (HttpTransact.cc as cited in multiple sources) and the root caus...
CVE-2016-5396
Apache Traffic Server (ATS) versions 6.0.0–6.2.0 are affected by an HPACK Bomb Attack. The CVE notes a network-accessible vulnerability with a high impact on availability (CVSS v3 base score 7.5). The related documents consistently describe HPACK Bomb as the issue; no concrete remediation, patch ...
CVE-2010-2952
Apache Traffic Server vulnerable in versions before 2.0.1 and in 2.1.x before 2.1.2-unstable. The issue stems from improper DNS source port/transaction ID handling and DNS query field validation, enabling MITM-style cache poisoning via crafted responses. Remediation: upgrade to Apache Traffic Ser...
CVE-2018-9481
CVE-2018-9481 : The vulnerability is in the Bluetooth stack, specifically in the function bta_hd_set_report_act of bta_hd_act.cc. An integer overflow can trigger an out-of-bounds read, enabling remote information disclosure through the Bluetooth service without extra privileges or user interactio...
CVE-2018-8022
CVE-2018-8022 affects Apache Traffic Server (ATS) 6.2.2. A specially crafted invalid TLS handshake can cause ATS to segfault, leading to a partial availability impact (DoS) as described in multiple sources. The concrete vulnerable component is the TLS handshake handling within ATS; the root cause...
CVE-2025-31698
Summary : CVE-2025-31698 affects Apache Traffic Server (ATS). The ACLs configured in ip_allow.config or remap.config may use IP addresses not provided by the PROXY protocol when ATS is configured to accept PROXY, exposing confidentiality. Affected ranges include 10.0.0–10.0.6 and 9.0.0–9.2.10. Ro...
CVE-2025-65114
CVE-2025-65114 affects Apache Traffic Server where malformed chunked messages enable HTTP request smuggling. Affected versions: 9.0.0–9.2.12 and 10.0.0–10.1.1. The issue is mitigated by upgrading to 9.2.13 or 10.1.2, which include the fix for the chunked encoding parser and related handling (Fedo...
CVE-2025-58136
Apache Traffic Server is affected by CVE-2025-58136 due to a bug in POST request handling that can crash the server under certain conditions. Affected versions are 10.0.0–10.1.1 and 9.0.0–9.2.12. The issue is fixed in 10.1.2 and 9.2.13; upgrading is recommended. As a workaround for older releases...