Apache Traffic Server: Vulnerability in Field Names Allows Request Smuggling and Cache Poisoning

CVE-2023-38522

7.5HIGH

Key Information

Vendor: Apache
Status: Apache Traffic Server
Vendor: CVE Published:; 26 July 2024

Summary

Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.

Affected Version(s)

Apache Traffic Server <= 8.1.10

Apache Traffic Server <= 9.2.4

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Jul 26, 2024
Vulnerability Reserved.
Jul 18, 2023

Collectors

NVD DatabaseMitre Database

Credit

Ben Kallus