Latest apache traffic server Vulnerabilities

CVE-2023-39456
Apache Traffic Server: Malformed http/2 frames can cause an abort
Apache Traffic Server>=9.0.0<9.2.3
Fedoraproject Fedora=37
Fedoraproject Fedora=38
debian/trafficserver
CVE-2023-41752
Apache Traffic Server: s3_auth plugin problem with hash calculation
Apache Traffic Server>=8.0.0<8.1.9
Apache Traffic Server>=9.0.0<9.2.3
Fedoraproject Fedora=37
Fedoraproject Fedora=38
debian/trafficserver<=8.0.2+ds-1+deb10u6<=8.1.7+ds-1~deb11u1
CVE-2023-44487
- Rapid Reset HTTP/2 vulnerability
Microsoft Windows 11=21H2
Microsoft Windows 11=21H2
Microsoft Windows Server 2022
Microsoft Windows Server 2022
Microsoft Windows 11=22H2
Microsoft Windows 11=22H2
and 553 more
CVE-2023-33934
Apache Traffic Server: Differential fuzzing for HTTP request parsing discrepancies
Apache Traffic Server>=8.0.0<=8.1.7
Apache Traffic Server>=9.0.0<=9.2.1
debian/trafficserver<=8.0.2+ds-1+deb10u6<=8.1.7+ds-1~deb11u1
CVE-2022-47185
Apache Traffic Server: Invalid Range header causes a crash
Apache Traffic Server>=8.0.0<=8.1.7
Apache Traffic Server>=9.0.0<=9.2.1
debian/trafficserver<=8.0.2+ds-1+deb10u6<=8.1.7+ds-1~deb11u1
CVE-2023-30631
Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server.  The configuration option proxy.config.http.push_method_enabled didn't function.  However, by default the P...
Apache Traffic Server>=8.0.0<8.1.7
Apache Traffic Server>=9.0.0<9.2.1
debian/trafficserver<=8.0.2+ds-1+deb10u6
Debian Debian Linux=10.0
Debian Debian Linux=11.0
Debian Debian Linux=12.0
and 2 more
CVE-2023-33933
Apache Traffic Server>=8.0.0<8.1.7
Apache Traffic Server>=9.0.0<9.2.1
debian/trafficserver<=8.0.2+ds-1+deb10u6
CVE-2022-47184
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: 8.0.0 to 9.2.0.
Apache Traffic Server>=8.0.0<8.1.7
Apache Traffic Server>=9.0.0<9.2.1
Debian Debian Linux=11.0
Debian Debian Linux=12.0
debian/trafficserver<=8.0.2+ds-1+deb10u6<=9.2.0+ds-2<=8.1.6+ds-1~deb11u1
debian/trafficserver<=8.0.2+ds-1+deb10u6
CVE-2022-40743
Improper Input Validation vulnerability for the xdebug plugin in Apache Software Foundation Apache Traffic Server can lead to cross site scripting and cache poisoning attacks.This issue affects Apache...
Apache Traffic Server>=8.0.0<=8.1.5
Apache Traffic Server>=9.0.0<=9.1.3
CVE-2022-37392
Improper Check for Unusual or Exceptional Conditions vulnerability in handling the requests to Apache Traffic Server. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.
Apache Traffic Server>=8.0.0<8.1.6
Apache Traffic Server>=9.0.0<9.1.4
CVE-2022-32749
Apache Traffic Server>=8.0.0<8.1.6
Apache Traffic Server>=9.0.0<9.1.4
CVE-2022-31779
Improper Input Validation vulnerability in HTTP/2 header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.
debian/trafficserver<=8.0.2+ds-1+deb10u6
Apache Traffic Server>=8.0.0<=8.1.4
Apache Traffic Server>=9.0.0<=9.1.2
Debian Debian Linux=11.0
Fedoraproject Fedora=35
Fedoraproject Fedora=36
CVE-2022-28129
Improper Input Validation vulnerability in HTTP/1.1 header parsing of Apache Traffic Server allows an attacker to send invalid headers. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.
debian/trafficserver<=8.0.2+ds-1+deb10u6
Apache Traffic Server>=8.0.0<=8.1.4
Apache Traffic Server>=9.0.0<=9.1.2
Debian Debian Linux=10.0
Debian Debian Linux=11.0
Fedoraproject Fedora=35
and 1 more
CVE-2022-31780
Improper Input Validation vulnerability in HTTP/2 frame handling of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.
debian/trafficserver<=8.0.2+ds-1+deb10u6
Apache Traffic Server>=8.0.0<=8.1.4
Apache Traffic Server>=9.0.0<=9.1.2
Debian Debian Linux=10.0
Debian Debian Linux=11.0
Fedoraproject Fedora=35
and 1 more
CVE-2022-25763
Improper Input Validation vulnerability in HTTP/2 request validation of Apache Traffic Server allows an attacker to create smuggle or cache poison attacks. This issue affects Apache Traffic Server 8.0...
debian/trafficserver<=8.0.2+ds-1+deb10u6
Apache Traffic Server>=8.0.0<8.1.5
Apache Traffic Server>=9.0.0<9.1.3
Debian Debian Linux=11.0
Fedoraproject Fedora=35
Fedoraproject Fedora=36
CVE-2022-31778
Improper Input Validation vulnerability in handling the Transfer-Encoding header of Apache Traffic Server allows an attacker to poison the cache. This issue affects Apache Traffic Server 8.0.0 to 9.0....
debian/trafficserver<=8.0.2+ds-1+deb10u6
Apache Traffic Server>=8.0.0<=8.1.4
Apache Traffic Server>=9.0.0<=9.1.2
Debian Debian Linux=11.0
CVE-2021-37150
Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to request secure resources. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.
debian/trafficserver<=8.0.2+ds-1+deb10u6
Apache Traffic Server>=8.0.0<=8.1.4
Apache Traffic Server>=9.0.0<=9.1.2
Debian Debian Linux=10.0
Debian Debian Linux=11.0
Fedoraproject Fedora=35
and 1 more
CVE-2021-44759
Improper Authentication vulnerability in TLS origin validation of Apache Traffic Server allows an attacker to create a man in the middle attack. This issue affects Apache Traffic Server 8.0.0 to 8.1.0...
debian/trafficserver
Apache Traffic Server>=8.0.0<=8.1.0
Debian Debian Linux=10.0
Debian Debian Linux=11.0
CVE-2021-44040
Improper Input Validation vulnerability in request line parsing of Apache Traffic Server allows an attacker to send invalid requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.3 and 9.0.0 ...
debian/trafficserver
Apache Traffic Server>=8.0.0<=8.1.3
Apache Traffic Server>=9.0.0<=9.1.1
Debian Debian Linux=10.0
Debian Debian Linux=11.0
CVE-2021-43082
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in the stats-over-http plugin of Apache Traffic Server allows an attacker to overwrite memory. This issue affects A...
Apache Traffic Server>=8.0.0<=8.1.2
Apache Traffic Server>=9.0.0<=9.1.0
CVE-2021-38161
Improper Authentication vulnerability in TLS origin verification of Apache Traffic Server allows for man in the middle attacks. This issue affects Apache Traffic Server 8.0.0 to 8.0.8.
debian/trafficserver
Apache Traffic Server>=8.0.0<=8.0.8
Debian Debian Linux=10.0
Debian Debian Linux=11.0
CVE-2021-37148
Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.0.1.
debian/trafficserver
Apache Traffic Server>=8.0.0<=8.1.2
Apache Traffic Server>=9.0.0<=9.0.1
Debian Debian Linux=10.0
Debian Debian Linux=11.0
CVE-2021-41585
Improper Input Validation vulnerability in accepting socket connections in Apache Traffic Server allows an attacker to make the server stop accepting new connections. This issue affects Apache Traffic...
Apache Traffic Server>=8.0.0<=8.1.2
Apache Traffic Server>=9.0.0<=9.1.0
CVE-2021-37149
Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.1.0.
debian/trafficserver
Apache Traffic Server>=8.0.0<=8.1.2
Apache Traffic Server>=9.0.0<=9.1.0
Debian Debian Linux=10.0
Debian Debian Linux=11.0
CVE-2021-37147
Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.1.0.
debian/trafficserver
Apache Traffic Server>=8.0.0<=8.1.2
Apache Traffic Server>=9.0.0<=9.1.0
Debian Debian Linux=10.0
Debian Debian Linux=11.0
CVE-2021-32567
Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0....
debian/trafficserver
Apache Traffic Server>=7.0.0<=7.1.12
Apache Traffic Server>=8.0.0<=8.1.1
Apache Traffic Server>=9.0.0<=9.0.1
Debian Debian Linux=10.0
CVE-2021-35474
Stack-based Buffer Overflow vulnerability in cachekey plugin of Apache Traffic Server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.
debian/trafficserver
Apache Traffic Server>=7.0.0<=7.1.12
Apache Traffic Server>=8.0.0<=8.1.1
Apache Traffic Server>=9.0.0<=9.0.1
Debian Debian Linux=10.0
CVE-2021-32565
Invalid values in the Content-Length header sent to Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0...
debian/trafficserver
Apache Traffic Server>=7.0.0<=7.1.12
Apache Traffic Server>=8.0.0<=8.1.1
Apache Traffic Server>=9.0.0<=9.0.1
Debian Debian Linux=10.0
CVE-2021-27577
Incorrect handling of url fragment vulnerability of Apache Traffic Server allows an attacker to poison the cache. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0...
Apache Traffic Server>=7.0.0<=7.1.12
Apache Traffic Server>=8.0.0<=8.1.1
Apache Traffic Server>=9.0.0<=9.0.1
Debian Debian Linux=8.0
debian/trafficserver
CVE-2020-17508
The ATS ESI plugin has a memory disclosure vulnerability. If you are running the plugin please upgrade. Apache Traffic Server versions 7.0.0 to 7.1.11 and 8.0.0 to 8.1.0 are affected.
Apache Traffic Server>=6.0.0<=6.2.3
Apache Traffic Server>=7.0.0<=7.1.11
Apache Traffic Server>=8.0.0<=8.1.0
CVE-2020-9494
Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to 8.0.7 is vulnerable to certain types of HTTP/2 HEADERS frames that can cause the server to allocate a large amount of memory and spi...
Apache Traffic Server>=6.0.0<=6.2.3
Apache Traffic Server>=7.0.0<=7.1.10
Apache Traffic Server>=8.0.0<=8.0.7
Debian Debian Linux=10.0
debian/trafficserver
debian/trafficserver<=8.0.2+ds-1<=8.0.0-1<=8.0.2+ds-1+deb10u2<=7.0.0-1<=8.0.7+ds-1<=6.0.0-1
CVE-2020-9481
Apache ATS 6.0.0 to 6.2.3, 7.0.0 to 7.1.9, and 8.0.0 to 8.0.6 is vulnerable to a HTTP/2 slow read attack.
debian/trafficserver
Apache Traffic Server>=6.0.0<=6.2.3
Apache Traffic Server>=7.0.0<=7.1.9
Apache Traffic Server>=8.0.0<=8.0.6
Debian Debian Linux=10.0
CVE-2019-17559
There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling attack and scheme parsing. Upgrade to versions 7.1.9 and 8.0.6 or later versions.
debian/trafficserver
Apache Traffic Server>=6.0.0<=6.2.3
Apache Traffic Server>=7.0.0<=7.1.8
Apache Traffic Server>=8.0.0<=8.0.5
Debian Debian Linux=10.0
CVE-2020-1944
There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling attack and Transfer-Encoding and Content length headers. Upgrade to versions 7.1.9...
debian/trafficserver
Apache Traffic Server>=6.0.0<=6.2.3
Apache Traffic Server>=7.0.0<=7.1.8
Apache Traffic Server>=8.0.0<=8.0.5
Debian Debian Linux=10.0
CVE-2019-10079
Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier versions of Apache Traffic Server didn't limit the number of setting frames sent from the client using the HTTP/2 protocol....
Apache Traffic Server<7.1.7
Apache Traffic Server>=8.0.0<8.0.4
CVE-2019-9517
Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constr...
redhat/jbcs-httpd24-httpd<0:2.4.29-41.jbcs.el6
redhat/jbcs-httpd24-nghttp2<0:1.39.2-1.jbcs.el6
redhat/jbcs-httpd24-apr<0:1.6.3-63.jbcs.el6
redhat/jbcs-httpd24-apr-util<0:1.6.1-48.jbcs.el6
redhat/jbcs-httpd24-brotli<0:1.0.6-7.jbcs.el6
redhat/jbcs-httpd24-curl<0:7.64.1-14.jbcs.el6
and 77 more
CVE-2019-9511
Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data ...
redhat/jbcs-httpd24-httpd<0:2.4.29-41.jbcs.el6
redhat/jbcs-httpd24-nghttp2<0:1.39.2-1.jbcs.el6
redhat/jbcs-httpd24-apr<0:1.6.3-63.jbcs.el6
redhat/jbcs-httpd24-apr-util<0:1.6.1-48.jbcs.el6
redhat/jbcs-httpd24-brotli<0:1.0.6-7.jbcs.el6
redhat/jbcs-httpd24-curl<0:7.64.1-14.jbcs.el6
and 165 more
CVE-2019-9516
Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, o...
redhat/jbcs-httpd24-httpd<0:2.4.29-41.jbcs.el6
redhat/jbcs-httpd24-nghttp2<0:1.39.2-1.jbcs.el6
redhat/jbcs-httpd24-apr<0:1.6.3-63.jbcs.el6
redhat/jbcs-httpd24-apr-util<0:1.6.1-48.jbcs.el6
redhat/jbcs-httpd24-brotli<0:1.0.6-7.jbcs.el6
redhat/jbcs-httpd24-curl<0:7.64.1-14.jbcs.el6
and 72 more
CVE-2019-9518
Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-st...
redhat/rh-nodejs10<0:3.2-3.el7
redhat/rh-nodejs10-nodejs<0:10.16.3-3.el7
redhat/rh-nodejs8<0:3.0-5.el7
redhat/rh-nodejs8-nodejs<0:8.16.1-2.el7
redhat/envoy<1.11.1
redhat/Nodejs<8.16.1
and 45 more
CVE-2019-9515
Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the ...
redhat/eap7-apache-cxf<0:3.2.10-1.redhat_00001.1.el6ea
redhat/eap7-byte-buddy<0:1.9.11-1.redhat_00002.1.el6ea
redhat/eap7-glassfish-jsf<0:2.3.5-5.SP3_redhat_00003.1.el6ea
redhat/eap7-hal-console<0:3.0.17-2.Final_redhat_00001.1.el6ea
redhat/eap7-hibernate<0:5.3.13-1.Final_redhat_00001.1.el6ea
redhat/eap7-ironjacamar<0:1.4.18-1.Final_redhat_00001.1.el6ea
and 140 more
CVE-2019-9514
A flaw was found in HTTP/2. Using HEADER frames with invalid HTTP headers and queuing of response RST_STREAM frames, an attacker could cause a flood resulting in unbounded memory growth. The highest t...
redhat/go-toolset<1.11-0:1.11.13-1.el7
redhat/go-toolset<1.11-golang-0:1.11.13-2.el7
redhat/containernetworking-plugins<0:0.8.1-4.el7_7
redhat/eap7-apache-cxf<0:3.2.10-1.redhat_00001.1.el6ea
redhat/eap7-byte-buddy<0:1.9.11-1.redhat_00002.1.el6ea
redhat/eap7-glassfish-jsf<0:2.3.5-5.SP3_redhat_00003.1.el6ea
and 220 more
CVE-2019-9513
Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the str...
redhat/jbcs-httpd24-httpd<0:2.4.29-41.jbcs.el6
redhat/jbcs-httpd24-nghttp2<0:1.39.2-1.jbcs.el6
redhat/jbcs-httpd24-apr<0:1.6.3-63.jbcs.el6
redhat/jbcs-httpd24-apr-util<0:1.6.1-48.jbcs.el6
redhat/jbcs-httpd24-brotli<0:1.0.6-7.jbcs.el6
redhat/jbcs-httpd24-curl<0:7.64.1-14.jbcs.el6
and 101 more
CVE-2019-9512
A flaw was found in HTTP/2. Using PING frames and queuing of response PING ACK frames, a flood attack could occur resulting in unbounded memory growth. The highest threat from this vulnerability is to...
go/golang.org/x/net<0.0.0-20190813141303-74dc4d7220e7
redhat/go-toolset<1.11-0:1.11.13-1.el7
redhat/go-toolset<1.11-golang-0:1.11.13-2.el7
redhat/containernetworking-plugins<0:0.8.1-4.el7_7
redhat/eap7-apache-cxf<0:3.2.10-1.redhat_00001.1.el6ea
redhat/eap7-byte-buddy<0:1.9.11-1.redhat_00002.1.el6ea
and 174 more
CVE-2018-11783
sslheaders plugin extracts information from the client certificate and sets headers in the request based on the configuration of the plugin. The plugin doesn't strip the headers from the request in so...
Apache Traffic Server>=6.0.0<=6.0.3
Apache Traffic Server>=7.0.0<=7.1.5
Apache Traffic Server>=8.0.0<=8.0.1
CVE-2018-8022
A carefully crafted invalid TLS handshake can cause Apache Traffic Server (ATS) to segfault. This affects version 6.2.2. To resolve this issue users running 6.2.2 should upgrade to 6.2.3 or later vers...
Apache Traffic Server>=6.0.0<=6.2.2
CVE-2018-8040
Pages that are rendered using the ESI plugin can have access to the cookie header when the plugin is configured not to allow access. This affects Apache Traffic Server (ATS) versions 6.0.0 to 6.2.2 an...
debian/trafficserver
Apache Traffic Server>=6.0.0<=6.2.2
Apache Traffic Server>=7.0.0<=7.1.3
Debian Debian Linux=9.0
CVE-2018-8004
There are multiple HTTP smuggling and cache poisoning issues when clients making malicious requests interact with Apache Traffic Server (ATS). This affects versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. ...
debian/trafficserver
Apache Traffic Server>=6.0.0<=6.2.2
Apache Traffic Server>=7.0.0<=7.1.3
Debian Debian Linux=9.0
CVE-2018-1318
Adding method ACLs in remap.config can cause a segfault when the user makes a carefully crafted request. This affects versions Apache Traffic Server (ATS) 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve...
debian/trafficserver
Apache Traffic Server>=6.0.0<=6.2.2
Apache Traffic Server>=7.0.0<=7.1.3
Debian Debian Linux=9.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203