Apache Traffic Server: Differential fuzzing for HTTP request parsing discrepancies
CVE-2023-33934

9.1CRITICAL

Key Information:

Vendor: Apache
Status: Apache Traffic Server
Vendor: CVE Published:; 9 August 2023

Summary

An improper input validation vulnerability exists in Apache Traffic Server, which could allow an attacker to exploit the affected version through specially crafted input, potentially leading to security breaches. This issue impacts all versions of Apache Traffic Server up to 9.2.1, posing a risk to organizations and applications utilizing this server software.

Affected Version(s)

Apache Traffic Server 0 <= 9.2.1

References

https://lists.apache.org/thread/jsl6dfdgs1mjjo1mbtyflyjr7...

vendor-advisory

https://lists.fedoraproject.org/archives/list/package-ann...

https://lists.debian.org/debian-lts-announce/2023/09/msg0...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 9, 2023
Vulnerability Reserved
May 23, 2023

Credit

Bahruz Jabiyev, Anthony Gavazzi, Engin Kirda, Kaan Onarlioglu, Adi Peleg, Harvey Tuch