Apache Traffic Server: Vulnerability in Field Names Allows Request Smuggling and Cache Poisoning

CVE-2023-38522

7.5HIGH

Key Information

Vendor
Apache
Status
Apache Traffic Server
Vendor
CVE Published:
26 July 2024

Summary

Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable.

This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.

Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.

Affected Version(s)

Apache Traffic Server <= 8.1.10

Apache Traffic Server <= 9.2.4

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database

Credit

Ben Kallus
.