CVE-2018-8004

Published: Aug 29, 2018Modified: Nov 21, 2024

6.5

Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

There are multiple HTTP smuggling and cache poisoning issues when clients making malicious requests interact with Apache Traffic Server (ATS). This affects versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.

Affected (3)

Products: Apache: Traffic Server · Debian: Debian Linux

1 product

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Apache Traffic Server	From 6.0.0 to 6.2.2
Apache Traffic Server	From 7.0.0 to 7.1.3

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 9.0

Related CWEs

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

References (14)

http://www.securityfocus.com/bid/105192

Source: security@apache.org

Third Party AdvisoryVDB Entry

https://github.com/apache/trafficserver/pull/3192

Source: security@apache.org

PatchThird Party Advisory

https://github.com/apache/trafficserver/pull/3201

Source: security@apache.org

PatchThird Party Advisory

https://github.com/apache/trafficserver/pull/3231

Source: security@apache.org

PatchThird Party Advisory

https://github.com/apache/trafficserver/pull/3251

Source: security@apache.org

PatchThird Party Advisory

https://lists.apache.org/thread.html/7df882eb09029a4460768a61f88a30c9c30c9dc88e9bcc6e19ba24d5%40%3Cusers.trafficserver.apache.org%3E

Source: security@apache.org

https://www.debian.org/security/2018/dsa-4282

Source: security@apache.org

Third Party Advisory

http://www.securityfocus.com/bid/105192

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://github.com/apache/trafficserver/pull/3192

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/apache/trafficserver/pull/3201

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/apache/trafficserver/pull/3231

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/apache/trafficserver/pull/3251

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://lists.apache.org/thread.html/7df882eb09029a4460768a61f88a30c9c30c9dc88e9bcc6e19ba24d5%40%3Cusers.trafficserver.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.debian.org/security/2018/dsa-4282

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.