Apache Traffic Server: The TRACE method can be use to disclose network information
CVE-2022-47184

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Traffic Server
Vendor: CVE Published:; 14 June 2023

Summary

A vulnerability in Apache Traffic Server allows unauthorized actors to obtain sensitive information, potentially leading to unauthorized data access. This issue affects versions 8.0.0 to 9.2.0 of the server, highlighting the need for users to upgrade to the latest version to mitigate this risk.

Affected Version(s)

Apache Traffic Server 8.0.0 <= 9.2.0

References

https://lists.apache.org/thread/tns2b4khyyncgs5v5p9y35pob...

vendor-advisory

https://www.debian.org/security/2023/dsa-5435

https://lists.fedoraproject.org/archives/list/package-ann...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 14, 2023
Vulnerability Reserved
Dec 12, 2022

Credit

Martin O'Neal