Apache Traffic Server accepts characters that are not allowed for HTTP
field names and forwards malformed requests to origin servers. This can be
utilized for request smuggling and may also lead cache poisoning if the
origin servers are vulnerable.
This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from
9.0.0 through 9.2.4.
Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes
the issue.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | trafficserver | < any | UNKNOWN |
ubuntu | 20.04 | noarch | trafficserver | < any | UNKNOWN |
ubuntu | 22.04 | noarch | trafficserver | < any | UNKNOWN |
ubuntu | 24.04 | noarch | trafficserver | < any | UNKNOWN |
ubuntu | 16.04 | noarch | trafficserver | < any | UNKNOWN |