Apache Traffic Server: Malformed http/2 frames can cause an abort
CVE-2023-39456

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Traffic Server
Vendor: CVE Published:; 17 October 2023

What is CVE-2023-39456?

An improper input validation vulnerability exists in Apache Traffic Server, particularly affecting versions 9.0.0 through 9.2.2, when handling malformed HTTP/2 frames. This flaw can potentially lead to unexpected behavior or denial of service, impacting the stability and reliability of affected installations. It is strongly recommended that users upgrade to Apache Traffic Server version 9.2.3 to resolve this issue and enhance security.

Affected Version(s)

Apache Traffic Server 9.0.0 <= 9.2.2

References

https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhs...

vendor-advisory

https://lists.fedoraproject.org/archives/list/package-ann...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 17, 2023
Vulnerability Reserved
Aug 2, 2023

Credit

Akshat Parikh