Apache Traffic Server security advisories

Security information for Apache Traffic Server

Reporting

Do you want disclose a potential security issue for Apache Traffic Server? You can read more about the projects’ security policy on their security page, and email your report to the Apache Traffic Server Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Malformed chunked message body allows request smuggling

CVE-2025-65114 [CVE] [CVE json] [OSV json]

Last updated: 2026-04-10T15:56:14.648Z

Affected

  • Apache Traffic Server from 9.0.0 through 9.2.12
  • Apache Traffic Server from 10.0.0 through 10.1.1

Description

Apache Traffic Server allows request smuggling if chunked messages are malformed. 

This issue affects Apache Traffic Server: from 9.0.0 through 9.2.12, from 10.0.0 through 10.1.1.

Users are recommended to upgrade to version 9.2.13 or 10.1.2, which fix the issue.

References

Credits

  • Katsutoshi Ikenoya (reporter)

A simple legitimate POST request causes a crash

CVE-2025-58136 [CVE] [CVE json] [OSV json]

Last updated: 2026-04-10T15:53:47.491Z

Affected

  • Apache Traffic Server from 10.0.0 through 10.1.1
  • Apache Traffic Server from 9.0.0 through 9.2.12

Description

A bug in POST request handling causes a crash under a certain condition.

This issue affects Apache Traffic Server: from 10.0.0 through 10.1.1, from 9.0.0 through 9.2.12.

Users are recommended to upgrade to version 10.1.2 or 9.2.13, which fix the issue.

A workaround for older versions is to set proxy.config.http.request_buffer_enabled to 0 (the default value is 0). 

References

Remote DoS via memory exhaustion in ESI Plugin

CVE-2025-49763 [CVE] [CVE json] [OSV json]

Last updated: 2025-06-19T10:07:13.563Z

Affected

  • Apache Traffic Server from 10.0.0 through 10.0.5
  • Apache Traffic Server from 9.0.0 through 9.2.10

Description

ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted.

Users can use a new setting for the plugin (--max-inclusion-depth) to limit it.

This issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10.

Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.

References

Credits

  • Yohann Sillam (reporter)

Client IP address from PROXY protocol is not used for ACL

CVE-2025-31698 [CVE] [CVE json] [OSV json]

Last updated: 2025-06-19T10:07:45.344Z

Affected

  • Apache Traffic Server from 10.0.0 through 10.0.6
  • Apache Traffic Server from 9.0.0 through 9.2.10

Description

ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol.

Users can use a new setting (proxy.config.acl.subjects) to choose which IP addresses to use for the ACL if Apache Traffic Server is configured to accept PROXY protocol. 

This issue affects undefined: from 10.0.0 through 10.0.6, from 9.0.0 through 9.2.10.

Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.

References

Expect header field can unreasonably retain resource

CVE-2024-56202 [CVE] [CVE json] [OSV json]

Last updated: 2025-03-06T11:09:09.771Z

Affected

  • Apache Traffic Server from 9.0.0 through 9.2.8
  • Apache Traffic Server from 10.0.0 through 10.0.3

Description

Expected Behavior Violation vulnerability in Apache Traffic Server.

This issue affects Apache Traffic Server: from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3.

Users are recommended to upgrade to versions 9.2.9 or 10.0.4 or newer, which fixes the issue.

References

Credits

  • David Carlin (reporter)

ACL is not fully compatible with older versions

CVE-2024-56196 [CVE] [CVE json] [OSV json]

Last updated: 2025-03-06T11:21:46.767Z

Affected

  • Apache Traffic Server from 10.0.0 through 10.0.3

Description

Improper Access Control vulnerability in Apache Traffic Server.

This issue affects Apache Traffic Server: from 10.0.0 through 10.0.3.

Users are recommended to upgrade to version 10.0.4, which fixes the issue.

References

Credits

  • Chris McFarlen (reporter)

Intercept plugins are not access controlled

CVE-2024-56195 [CVE] [CVE json] [OSV json]

Last updated: 2025-03-06T11:23:34.892Z

Affected

  • Apache Traffic Server from 9.2.0 through 9.2.8
  • Apache Traffic Server from 10.0.0 through 10.0.3

Description

Improper Access Control vulnerability in Apache Traffic Server.

This issue affects Apache Traffic Server: from 9.2.0 through 9.2.8, from 10.0.0 through 10.0.3.

Users are recommended to upgrade to version 9.2.9 or 10.0.4, which fixes the issue.

References

Credits

  • Masaori Koshiba (reporter)

Malformed chunked message body allows request smuggling

CVE-2024-53868 [CVE] [CVE json] [OSV json]

Last updated: 2025-04-03T08:58:55.409Z

Affected

  • Apache Traffic Server from 9.2.0 through 9.2.9
  • Apache Traffic Server from 10.0.0 through 10.0.4

Description

Apache Traffic Server allows request smuggling if chunked messages are malformed. 

This issue affects Apache Traffic Server: from 9.2.0 through 9.2.9, from 10.0.0 through 10.0.4.

Users are recommended to upgrade to version 9.2.10 or 10.0.5, which fixes the issue.

References

Credits

  • Jeppe Bonde Weikop (reporter)

Server process can fail to drop privilege

CVE-2024-50306 [CVE] [CVE json] [OSV json]

Last updated: 2024-11-14T09:55:41.120Z

Affected

  • Apache Traffic Server from 9.2.0 through 9.2.5
  • Apache Traffic Server from 10.0.0 through 10.0.1

Description

Unchecked return value can allow Apache Traffic Server to retain privileges on startup.

This issue affects Apache Traffic Server: from 9.2.0 through 9.2.5, from 10.0.0 through 10.0.1.

Users are recommended to upgrade to version 9.2.6 or 10.0.2, which fixes the issue.

References

Credits

  • Jeffrey BENCTEUX (reporter)

Valid Host field value can cause crashes

CVE-2024-50305 [CVE] [CVE json] [OSV json]

Last updated: 2024-11-14T09:54:18.691Z

Affected

  • Apache Traffic Server from 9.2.0 through 9.2.5

Description

Valid Host header field can cause Apache Traffic Server to crash on some platforms.

This issue affects Apache Traffic Server: from 9.2.0 through 9.2.5.

Users are recommended to upgrade to version 9.2.6, which fixes the issue, or 10.0.2, which does not have the issue.

References

Cache key plugin is vulnerable to cache poisoning attack

CVE-2024-38479 [CVE] [CVE json] [OSV json]

Last updated: 2024-12-19T08:48:33.164Z

Affected

  • Apache Traffic Server from 8.0.0 through 8.1.11
  • Apache Traffic Server from 9.0.0 through 9.2.5

Description

Improper Input Validation vulnerability in Apache Traffic Server.

This issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from 9.0.0 through 9.2.5.

Users are recommended to upgrade to version 9.2.6, which fixes the issue, or 10.0.2, which does not have the issue.

References

Request smuggling via pipelining after a chunked message body

CVE-2024-38311 [CVE] [CVE json] [OSV json]

Last updated: 2025-03-06T11:34:14.593Z

Affected

  • Apache Traffic Server from 8.0.0 through 8.1.11
  • Apache Traffic Server from 9.0.0 through 9.2.8
  • Apache Traffic Server from 10.0.0 through 10.0.3

Description

Improper Input Validation vulnerability in Apache Traffic Server.

This issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3.

Users are recommended to upgrade to version 9.2.9 or 10.0.4, which fixes the issue.

References

Credits

  • Ben Kallus (reporter)

Invalid Accept-Encoding can force forwarding requests

CVE-2024-35296 [CVE] [CVE json] [OSV json]

Last updated: 2024-07-26T09:11:09.740Z

Affected

  • Apache Traffic Server from 8.0.0 through 8.1.10
  • Apache Traffic Server from 9.0.0 through 9.2.4

Description

Invalid Accept-Encoding header can cause Apache Traffic Server to fail cache lookup and force forwarding requests.

This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.

Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.

References

Credits

  • Min Chen (reporter)

Incomplete check for chunked trailer section allows request smuggling

CVE-2024-35161 [CVE] [CVE json] [OSV json]

Last updated: 2024-08-13T08:48:31.440Z

Affected

  • Apache Traffic Server from 8.0.0 through 8.1.10
  • Apache Traffic Server from 9.0.0 through 9.2.4

Description

Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable.

This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.

Users can set a new setting (proxy.config.http.drop_chunked_trailers) not to forward chunked trailer section.

Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.

References

Credits

  • Keran Mu (reporter)

HTTP/2 CONTINUATION frames can be utilized for DoS attack

CVE-2024-31309 [CVE] [CVE json] [OSV json]

Last updated: 2024-04-10T15:16:21.844Z

Affected

  • Apache Traffic Server from 8.0.0 through 8.1.9
  • Apache Traffic Server from 9.0.0 through 9.2.3

Description

HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server.  Version from 8.0.0 through 8.1.9, from 9.0.0 through 9.2.3 are affected.

Users can set a new setting (proxy.config.http2.max_continuation_frames_per_minute) to limit the number of CONTINUATION frames per minute.  ATS does have a fixed amount of memory a request can use and ATS adheres to these limits in previous releases.

Users are recommended to upgrade to versions 8.1.10 or 9.2.4 which fixes the issue.

References

Credits

  • Bartek Nowotarski (reporter)

s3_auth plugin problem with hash calculation

CVE-2023-41752 [CVE] [CVE json] [OSV json]

Last updated: 2023-10-17T06:57:44.046Z

Affected

  • Apache Traffic Server from 8.0.0 through 8.1.8
  • Apache Traffic Server from 9.0.0 through 9.2.2

Description

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Traffic Server.

This issue affects Apache Traffic Server: from 8.0.0 through 8.1.8, from 9.0.0 through 9.2.2.

Users are recommended to upgrade to version 8.1.9 or 9.2.3, which fixes the issue.

References

Credits

  • Masakazu Kitajo (finder)

Malformed http/2 frames can cause an abort

CVE-2023-39456 [CVE] [CVE json] [OSV json]

Last updated: 2023-10-17T06:58:15.367Z

Affected

  • Apache Traffic Server from 9.0.0 through 9.2.2

Description

Improper Input Validation vulnerability in Apache Traffic Server with malformed HTTP/2 frames.

This issue affects Apache Traffic Server: from 9.0.0 through 9.2.2.

Users are recommended to upgrade to version 9.2.3, which fixes the issue.

References

Credits

  • Akshat Parikh (finder)

Incomplete field name check allows request smuggling

CVE-2023-38522 [CVE] [CVE json] [OSV json]

Last updated: 2024-08-13T08:46:41.192Z

Affected

  • Apache Traffic Server from 8.0.0 through 8.1.10
  • Apache Traffic Server from 9.0.0 through 9.2.4

Description

Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable.

This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.

Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.

References

Credits

  • Ben Kallus (finder)

Differential fuzzing for HTTP request parsing discrepancies

CVE-2023-33934 [CVE] [CVE json]

Last updated: 2023-09-28T08:24:06.964Z

Affected

  • Apache Traffic Server through 9.2.1

Description

Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server.

This issue affects Apache Traffic Server: through 9.2.1.

References

Credits

  • Bahruz Jabiyev, Anthony Gavazzi, Engin Kirda, Kaan Onarlioglu, Adi Peleg, Harvey Tuch (finder)

s3_auth plugin problem with hash calculation

CVE-2023-33933 [CVE] [CVE json] [OSV json]

Last updated: 2023-08-31T19:49:23.749Z

Affected

  • Apache Traffic Server from 8.0.0 through 9.2.0

Description

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Traffic Server.

This issue affects Apache Traffic Server: from 8.0.0 through 9.2.0.

8.x users should upgrade to 8.1.7 or later versions
9.x users should upgrade to 9.2.1 or later versions

References

Credits

  • Masakazu Kitajo (reporter)

Configuration option to block the PUSH method in ATS didn’t work

CVE-2023-30631 [CVE] [CVE json] [OSV json]

Last updated: 2023-06-14T07:44:52.725Z

Affected

  • Apache Traffic Server from 8.0.0 through 9.2.0

Description

Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server.  The configuration option proxy.config.http.push_method_enabled didn’t function.  However, by default the PUSH method is blocked in the ip_allow configuration file.

This issue affects Apache Traffic Server: from 8.0.0 through 9.2.0.

8.x users should upgrade to 8.1.7 or later versions
9.x users should upgrade to 9.2.1 or later versions

References

Credits

  • Chris Lemmons (finder)

Invalid Range header causes a crash

CVE-2022-47185 [CVE] [CVE json] [OSV json]

Last updated: 2023-08-09T06:57:36.707Z

Affected

  • Apache Traffic Server through 9.2.1

Description

Improper input validation vulnerability on the range header in Apache Software Foundation Apache Traffic Server.

This issue affects Apache Traffic Server: through 9.2.1.

References

Credits

  • Katsutoshi Ikenoya (finder)

The TRACE method can be use to disclose network information

CVE-2022-47184 [CVE] [CVE json] [OSV json]

Last updated: 2023-06-14T07:42:29.792Z

Affected

  • Apache Traffic Server from 8.0.0 through 9.2.0

Description

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Traffic Server.

This issue affects Apache Traffic Server: 8.0.0 to 9.2.0.

References

Credits

  • Martin O’Neal (reporter)

Security issues with the xdebug plugin

CVE-2022-40743 [CVE] [CVE json] [OSV json]

Last updated: 2023-07-17T14:33:07.403Z

Affected

  • Apache Traffic Server from 9.0.0 through 9.1.3

Description

Improper Input Validation vulnerability for the xdebug plugin in Apache Software Foundation Apache Traffic Server can lead to cross site scripting and cache poisoning attacks.

This issue affects Apache Traffic Server: 9.0.0 to 9.1.3. Users should upgrade to 9.1.4 or later versions.

References

Credits

  • Nick Frost (finder)

Improperly reading the client requests

CVE-2022-37392 [CVE] [CVE json] [OSV json]

Last updated: 2022-12-19T10:58:23.000Z

Affected

  • Apache Traffic Server from 8.0.0 through 9.1.3

Description

Improper Check for Unusual or Exceptional Conditions vulnerability in handling the requests to Apache Traffic Server. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.

References

Credits

  • Menno de Gier (finder)

Improperly handled requests can cause crashes in specific plugins

CVE-2022-32749 [CVE] [CVE json] [OSV json]

Last updated: 2022-12-19T10:51:20.718Z

Affected

  • Apache Traffic Server from 8.0.0 through 9.1.3

Description

Improper Check for Unusual or Exceptional Conditions vulnerability handling requests in Apache Traffic Server allows an attacker to crash the server under certain conditions.

This issue affects Apache Traffic Server: from 8.0.0 through 9.1.3.

References

Credits

  • Vijay Mamidi (finder)

HTTP/2 framing vulnerabilities

CVE-2022-31780 [CVE] [CVE json] [OSV json]

Last updated: 2022-08-10T05:45:38.174Z

Affected

  • Apache Traffic Server at 8.0.0 to 9.1.2

Description

Improper Input Validation vulnerability in HTTP/2 frame handling of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.

References

Credits

  • Apache Traffic Server would like to thank Bahruz Jabiyev, Steven Sprecher, Anthony Gavazzi, Tommaso Innocenti, Kaan Onarlioglu, and Engin Kirda for reporting these issues.

Improper HTTP/2 scheme and method validation

CVE-2022-31779 [CVE] [CVE json] [OSV json]

Last updated: 2022-10-27T00:00:36.092Z

Affected

  • Apache Traffic Server at 8.0.0 to 9.1.2

Description

Improper Input Validation vulnerability in HTTP/2 header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.

References

Credits

  • Apache Traffic Server would like to thank Dhana Sekaran for reporting this issue.

Transfer-Encoding not treated as hop-by-hop

CVE-2022-31778 [CVE] [CVE json] [OSV json]

Last updated: 2022-08-10T05:44:15.239Z

Affected

  • Apache Traffic Server at 8.0.0 to 9.0.2

Description

Improper Input Validation vulnerability in handling the Transfer-Encoding header of Apache Traffic Server allows an attacker to poison the cache. This issue affects Apache Traffic Server 8.0.0 to 9.0.2.

References

Credits

  • Apache Traffic Server would like to thank Chris Lemmons for reporting this issue.

Insufficient Validation of HTTP/1.x Headers

CVE-2022-28129 [CVE] [CVE json] [OSV json]

Last updated: 2022-08-10T05:42:44.803Z

Affected

  • Apache Traffic Server at 8.0.0 to 9.1.2

Description

Improper Input Validation vulnerability in HTTP/1.1 header parsing of Apache Traffic Server allows an attacker to send invalid headers. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.

References

Credits

  • Apache Traffic Server would like to thank Zhang Zeyu for reporting this issue.

Improper input validation on HTTP/2 headers

CVE-2022-25763 [CVE] [CVE json] [OSV json]

Last updated: 2022-10-20T20:25:04.197Z

Affected

  • Apache Traffic Server at 8.0.0 to 9.1.2

Description

Improper Input Validation vulnerability in HTTP/2 request validation of Apache Traffic Server allows an attacker to create smuggle or cache poison attacks. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.

References

Credits

  • Apache Traffic Server would like to thank Mazakatsu Kitajo, Dhana Sekaran, and Zhang Zeyu for reporting this issue.

Improper authentication vulnerability in TLS origin verification

CVE-2021-44759 [CVE] [CVE json] [OSV json]

Last updated: 2022-03-23T14:03:27.211Z

Affected

  • Apache Traffic Server at 8.0.0 to 8.1.0

Description

Improper Authentication vulnerability in TLS origin validation of Apache Traffic Server allows an attacker to create a man in the middle attack. This issue affects Apache Traffic Server 8.0.0 to 8.1.0.

References

Credits

  • Apache Traffic Server would like to thank Takuya Kitano for reporting this issue.

HTTP request line fuzzing attacks

CVE-2021-44040 [CVE] [CVE json] [OSV json]

Last updated: 2022-03-23T14:04:02.939Z

Affected

  • Apache Traffic Server at 8.0.0 to 8.1.3 and 9.0.0 to 9.1.1

Description

Improper Input Validation vulnerability in request line parsing of Apache Traffic Server allows an attacker to send invalid requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.3 and 9.0.0 to 9.1.1.

References

Credits

heap-buffer-overflow with stats-over-http plugin

CVE-2021-43082 [CVE] [CVE json] [OSV json]

Last updated: 2021-11-02T21:16:59.675Z

Affected

  • Apache Traffic Server at 9.1.0

Description

Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) vulnerability in the stats-over-http plugin of Apache Traffic Server allows an attacker to overwrite memory. This issue affects Apache Traffic Server 9.1.0.

References

Credits

  • Apache Traffic Server would like to thank Masori Koshiba for finding this issue.

ATS stops accepting connections on FreeBSD

CVE-2021-41585 [CVE] [CVE json] [OSV json]

Last updated: 2021-11-02T21:16:43.796Z

Affected

  • Apache Traffic Server at 7.0.0 to 9.1.0

Description

Improper Input Validation vulnerability in accepting socket connections in Apache Traffic Server allows an attacker to make the server stop accepting new connections. This issue affects Apache Traffic Server 5.0.0 to 9.1.0.

References

Credits

  • Apache Traffic Server would like to thank Asbjorn Bjornstad for finding this issue.

Not validating origin TLS certificate

CVE-2021-38161 [CVE] [CVE json] [OSV json]

Last updated: 2021-11-02T21:16:04.785Z

Affected

  • Apache Traffic Server at 8.0.0 to 8.0.8

Description

Improper Authentication vulnerability in TLS origin verification of Apache Traffic Server allows for man in the middle attacks. This issue affects Apache Traffic Server 8.0.0 to 8.0.8.

References

Protocol vs scheme mismatch

CVE-2021-37150 [CVE] [CVE json] [OSV json]

Last updated: 2022-08-10T05:43:13.024Z

Affected

  • Apache Traffic Server at 8.0.0 to 9.1.2

Description

Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to request secure resources. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.

References

Request Smuggling - multiple attacks

CVE-2021-37149 [CVE] [CVE json] [OSV json]

Last updated: 2021-11-02T21:15:10.588Z

Affected

  • Apache Traffic Server at 8.0.0 to 8.1.2 and 9.0.0 to 9.1.0

Description

Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.1.0.

References

Credits

  • Apache Traffic Server would like to thank Mattias Grenfeldt and Asta Olofsson for reporting this issue

Request Smuggling - transfer encoding validation

CVE-2021-37148 [CVE] [CVE json] [OSV json]

Last updated: 2021-11-02T21:14:46.545Z

Affected

  • Apache Traffic Server at 8.0.0 to 8.1.2 and 9.0.0 to 9.0.1

Description

Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.0.1.

References

Credits

  • Apache Traffic Server would like to thank Mattias Grenfeldt and Asta Olofsson for reporting this issue

Request Smuggling - LF line ending

CVE-2021-37147 [CVE] [CVE json] [OSV json]

Last updated: 2021-11-02T21:14:21.298Z

Affected

  • Apache Traffic Server at 8.0.0 to 8.1.2 and 9.0.0 to 9.1.0

Description

Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.1.0.

References

Credits

  • Apache Traffic Server would like to thank Mattias Grenfeldt and Asta Olofsson for reporting this issue.

Dynamic stack buffer overflow in cachekey plugin

CVE-2021-35474 [CVE] [CVE json] [OSV json]

Last updated: 2021-06-30T07:12:52.360Z

Affected

  • Apache Traffic Server at 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1

Description

Stack-based Buffer Overflow vulnerability in cachekey plugin of Apache Traffic Server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.

References

Reading HTTP/2 frames too many times

CVE-2021-32567 [CVE] [CVE json] [OSV json]

Last updated: 2021-06-30T07:12:25.231Z

Affected

  • Apache Traffic Server at 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1

Description

Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.

References

Specific sequence of HTTP/2 frames can cause ATS to crash

CVE-2021-32566 [CVE] [CVE json] [OSV json]

Last updated: 2021-06-30T07:11:47.425Z

Affected

  • Apache Traffic Server at 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1

Description

Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.

References

HTTP Request Smuggling, content length with invalid charters

CVE-2021-32565 [CVE] [CVE json] [OSV json]

Last updated: 2021-06-28T17:31:31.239Z

Affected

  • Apache Traffic Server at 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1

Description

Invalid values in the Content-Length header sent to Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.

References

slicer plugin crash

CVE-2021-27737 [CVE] [CVE json]

Last updated: 2021-05-17T17:41:59.734Z

Affected

  • Apache Traffic Server at 9.0.0

Description

Apache Traffic Server 9.0.0 is vulnerable to a remote DOS attack on the experimental Slicer plugin.

Incorrect handling of url fragment leads to cache poisoning

CVE-2021-27577 [CVE] [CVE json] [OSV json]

Last updated: 2021-06-28T17:28:40.345Z

Affected

  • Apache Traffic Server at 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1

Description

Incorrect handling of url fragment vulnerability of Apache Traffic Server allows an attacker to poison the cache. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.

References

Apache Traffic Server negative cache option is vulnerable to a cache poisoning attack

CVE-2020-17509 [CVE] [CVE json] [OSV json]

Last updated: 2021-01-11T09:31:44.280Z

Affected

  • Apache Traffic Server from Apache Traffic Server through 6.2.3

Description

Apache Traffic Server negative cache option is vulnerable to a cache poisoning attack affecting versions 6.0.0 through 6.2.3, 7.0.0 through 7.1.10, and 8.0.0 through 8.0.7. If you have this option enabled, please upgrade or disable this feature.

References

Apache Traffic Server ESI plugin has a memory disclosure vulnerability

CVE-2020-17508 [CVE] [CVE json] [OSV json]

Last updated: 2021-01-11T09:27:29.639Z

Affected

  • Apache Traffic Server from Apache Traffic Server through 6.2.3

Description

The ESI plugin in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.11, and 8.0.0 to 8.1.0 has a memory disclosure vulnerability. If you are running the plugin please upgrade to 7.1.12 or 8.1.1 or later.

References