Apache Traffic Server Vulnerability Affects Cache Lookup and Forwarding Requests
CVE-2024-35296

8.2HIGH

Key Information:

Vendor: Apache
Status: Apache Traffic Server
Vendor: CVE Published:; 26 July 2024

Summary

A vulnerability exists in Apache Traffic Server that arises from an invalid Accept-Encoding header, causing disruptions in cache lookup processes. This flaw can result in forced request forwarding, which may inadvertently expose systems to operational inefficiencies or security risks. It affects multiple versions of Apache Traffic Server, specifically from 8.0.0 through 8.1.10 and from 9.0.0 through 9.2.4. To mitigate potential impacts, users are strongly advised to update to versions 8.1.11 or 9.2.5, which contain the necessary patches to address this issue.

Affected Version(s)

Apache Traffic Server 8.0.0 <= 8.1.10

Apache Traffic Server 9.0.0 <= 9.2.4

References

https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543g...

vendor-advisory

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 26, 2024
Vulnerability Reserved
May 15, 2024

Credit

Min Chen