Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-38522

Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.

Published

2024-07-26T10:15:01.923

Last Modified

2024-11-21T08:13:45.093

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Primary
CWE-444
Type: Secondary
CWE-444
Type: Secondary
CWE-86

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	traffic_server	< 8.1.11	Yes
Application	apache	traffic_server	< 9.2.5	Yes

References

https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0 Mailing List, Vendor Advisory ([email protected])
https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0 Mailing List, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)