Apache Traffic Server security advisories
Security information for Apache Traffic Server
Reporting
Do you want disclose a potential security issue for Apache Traffic Server? You can read more about the projects’ security policy on their security page, and email your report to the Apache Traffic Server Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Malformed chunked message body allows request smuggling
CVE-2025-65114 [CVE] [CVE json] [OSV json]
Last updated: 2026-04-10T15:56:14.648Z
Affected
- Apache Traffic Server from 9.0.0 through 9.2.12
- Apache Traffic Server from 10.0.0 through 10.1.1
Description
Apache Traffic Server allows request smuggling if chunked messages are malformed.
This issue affects Apache Traffic Server: from 9.0.0 through 9.2.12, from 10.0.0 through 10.1.1.
Users are recommended to upgrade to version 9.2.13 or 10.1.2, which fix the issue.
References
Credits
- Katsutoshi Ikenoya (reporter)
A simple legitimate POST request causes a crash
CVE-2025-58136 [CVE] [CVE json] [OSV json]
Last updated: 2026-04-10T15:53:47.491Z
Affected
- Apache Traffic Server from 10.0.0 through 10.1.1
- Apache Traffic Server from 9.0.0 through 9.2.12
Description
A bug in POST request handling causes a crash under a certain condition.
This issue affects Apache Traffic Server: from 10.0.0 through 10.1.1, from 9.0.0 through 9.2.12.
Users are recommended to upgrade to version 10.1.2 or 9.2.13, which fix the issue.
A workaround for older versions is to set proxy.config.http.request_buffer_enabled to 0 (the default value is 0).References
Remote DoS via memory exhaustion in ESI Plugin
CVE-2025-49763 [CVE] [CVE json] [OSV json]
Last updated: 2025-06-19T10:07:13.563Z
Affected
- Apache Traffic Server from 10.0.0 through 10.0.5
- Apache Traffic Server from 9.0.0 through 9.2.10
Description
ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted.
Users can use a new setting for the plugin (--max-inclusion-depth) to limit it.This issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10.
Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.
References
Credits
- Yohann Sillam (reporter)
Client IP address from PROXY protocol is not used for ACL
CVE-2025-31698 [CVE] [CVE json] [OSV json]
Last updated: 2025-06-19T10:07:45.344Z
Affected
- Apache Traffic Server from 10.0.0 through 10.0.6
- Apache Traffic Server from 9.0.0 through 9.2.10
Description
ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol.
Users can use a new setting (proxy.config.acl.subjects) to choose which IP addresses to use for the ACL if Apache Traffic Server is configured to accept PROXY protocol.This issue affects undefined: from 10.0.0 through 10.0.6, from 9.0.0 through 9.2.10.
Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.
References
Expect header field can unreasonably retain resource
CVE-2024-56202 [CVE] [CVE json] [OSV json]
Last updated: 2025-03-06T11:09:09.771Z
Affected
- Apache Traffic Server from 9.0.0 through 9.2.8
- Apache Traffic Server from 10.0.0 through 10.0.3
Description
Expected Behavior Violation vulnerability in Apache Traffic Server.
This issue affects Apache Traffic Server: from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3.
Users are recommended to upgrade to versions 9.2.9 or 10.0.4 or newer, which fixes the issue.
References
Credits
- David Carlin (reporter)
ACL is not fully compatible with older versions
CVE-2024-56196 [CVE] [CVE json] [OSV json]
Last updated: 2025-03-06T11:21:46.767Z
Affected
- Apache Traffic Server from 10.0.0 through 10.0.3
Description
Improper Access Control vulnerability in Apache Traffic Server.
This issue affects Apache Traffic Server: from 10.0.0 through 10.0.3.
Users are recommended to upgrade to version 10.0.4, which fixes the issue.
References
Credits
- Chris McFarlen (reporter)
Intercept plugins are not access controlled
CVE-2024-56195 [CVE] [CVE json] [OSV json]
Last updated: 2025-03-06T11:23:34.892Z
Affected
- Apache Traffic Server from 9.2.0 through 9.2.8
- Apache Traffic Server from 10.0.0 through 10.0.3
Description
Improper Access Control vulnerability in Apache Traffic Server.
This issue affects Apache Traffic Server: from 9.2.0 through 9.2.8, from 10.0.0 through 10.0.3.
Users are recommended to upgrade to version 9.2.9 or 10.0.4, which fixes the issue.
References
Credits
- Masaori Koshiba (reporter)
Malformed chunked message body allows request smuggling
CVE-2024-53868 [CVE] [CVE json] [OSV json]
Last updated: 2025-04-03T08:58:55.409Z
Affected
- Apache Traffic Server from 9.2.0 through 9.2.9
- Apache Traffic Server from 10.0.0 through 10.0.4
Description
Apache Traffic Server allows request smuggling if chunked messages are malformed.
This issue affects Apache Traffic Server: from 9.2.0 through 9.2.9, from 10.0.0 through 10.0.4.
Users are recommended to upgrade to version 9.2.10 or 10.0.5, which fixes the issue.
References
Credits
- Jeppe Bonde Weikop (reporter)
Server process can fail to drop privilege
CVE-2024-50306 [CVE] [CVE json] [OSV json]
Last updated: 2024-11-14T09:55:41.120Z
Affected
- Apache Traffic Server from 9.2.0 through 9.2.5
- Apache Traffic Server from 10.0.0 through 10.0.1
Description
Unchecked return value can allow Apache Traffic Server to retain privileges on startup.
This issue affects Apache Traffic Server: from 9.2.0 through 9.2.5, from 10.0.0 through 10.0.1.
Users are recommended to upgrade to version 9.2.6 or 10.0.2, which fixes the issue.
References
Credits
- Jeffrey BENCTEUX (reporter)
Valid Host field value can cause crashes
CVE-2024-50305 [CVE] [CVE json] [OSV json]
Last updated: 2024-11-14T09:54:18.691Z
Affected
- Apache Traffic Server from 9.2.0 through 9.2.5
Description
Valid Host header field can cause Apache Traffic Server to crash on some platforms.
This issue affects Apache Traffic Server: from 9.2.0 through 9.2.5.
Users are recommended to upgrade to version 9.2.6, which fixes the issue, or 10.0.2, which does not have the issue.
References
Cache key plugin is vulnerable to cache poisoning attack
CVE-2024-38479 [CVE] [CVE json] [OSV json]
Last updated: 2024-12-19T08:48:33.164Z
Affected
- Apache Traffic Server from 8.0.0 through 8.1.11
- Apache Traffic Server from 9.0.0 through 9.2.5
Description
Improper Input Validation vulnerability in Apache Traffic Server.
This issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from 9.0.0 through 9.2.5.
Users are recommended to upgrade to version 9.2.6, which fixes the issue, or 10.0.2, which does not have the issue.
References
Request smuggling via pipelining after a chunked message body
CVE-2024-38311 [CVE] [CVE json] [OSV json]
Last updated: 2025-03-06T11:34:14.593Z
Affected
- Apache Traffic Server from 8.0.0 through 8.1.11
- Apache Traffic Server from 9.0.0 through 9.2.8
- Apache Traffic Server from 10.0.0 through 10.0.3
Description
Improper Input Validation vulnerability in Apache Traffic Server.
This issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3.
Users are recommended to upgrade to version 9.2.9 or 10.0.4, which fixes the issue.
References
Credits
- Ben Kallus (reporter)
Invalid Accept-Encoding can force forwarding requests
CVE-2024-35296 [CVE] [CVE json] [OSV json]
Last updated: 2024-07-26T09:11:09.740Z
Affected
- Apache Traffic Server from 8.0.0 through 8.1.10
- Apache Traffic Server from 9.0.0 through 9.2.4
Description
Invalid Accept-Encoding header can cause Apache Traffic Server to fail cache lookup and force forwarding requests.
This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.
Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.
References
Credits
- Min Chen (reporter)
Incomplete check for chunked trailer section allows request smuggling
CVE-2024-35161 [CVE] [CVE json] [OSV json]
Last updated: 2024-08-13T08:48:31.440Z
Affected
- Apache Traffic Server from 8.0.0 through 8.1.10
- Apache Traffic Server from 9.0.0 through 9.2.4
Description
Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable.
This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.
Users can set a new setting (proxy.config.http.drop_chunked_trailers) not to forward chunked trailer section.Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.
References
Credits
- Keran Mu (reporter)
HTTP/2 CONTINUATION frames can be utilized for DoS attack
CVE-2024-31309 [CVE] [CVE json] [OSV json]
Last updated: 2024-04-10T15:16:21.844Z
Affected
- Apache Traffic Server from 8.0.0 through 8.1.9
- Apache Traffic Server from 9.0.0 through 9.2.3
Description
HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server. Version from 8.0.0 through 8.1.9, from 9.0.0 through 9.2.3 are affected.
Users can set a new setting (proxy.config.http2.max_continuation_frames_per_minute) to limit the number of CONTINUATION frames per minute. ATS does have a fixed amount of memory a request can use and ATS adheres to these limits in previous releases.Users are recommended to upgrade to versions 8.1.10 or 9.2.4 which fixes the issue.
References
Credits
- Bartek Nowotarski (reporter)
s3_auth plugin problem with hash calculation
CVE-2023-41752 [CVE] [CVE json] [OSV json]
Last updated: 2023-10-17T06:57:44.046Z
Affected
- Apache Traffic Server from 8.0.0 through 8.1.8
- Apache Traffic Server from 9.0.0 through 9.2.2
Description
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Traffic Server.
This issue affects Apache Traffic Server: from 8.0.0 through 8.1.8, from 9.0.0 through 9.2.2.
Users are recommended to upgrade to version 8.1.9 or 9.2.3, which fixes the issue.
References
Credits
- Masakazu Kitajo (finder)
Malformed http/2 frames can cause an abort
CVE-2023-39456 [CVE] [CVE json] [OSV json]
Last updated: 2023-10-17T06:58:15.367Z
Affected
- Apache Traffic Server from 9.0.0 through 9.2.2
Description
Improper Input Validation vulnerability in Apache Traffic Server with malformed HTTP/2 frames.
This issue affects Apache Traffic Server: from 9.0.0 through 9.2.2.
Users are recommended to upgrade to version 9.2.3, which fixes the issue.
References
Credits
- Akshat Parikh (finder)
Incomplete field name check allows request smuggling
CVE-2023-38522 [CVE] [CVE json] [OSV json]
Last updated: 2024-08-13T08:46:41.192Z
Affected
- Apache Traffic Server from 8.0.0 through 8.1.10
- Apache Traffic Server from 9.0.0 through 9.2.4
Description
Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable.
This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.
Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.
References
Credits
- Ben Kallus (finder)
Differential fuzzing for HTTP request parsing discrepancies
CVE-2023-33934 [CVE] [CVE json]
Last updated: 2023-09-28T08:24:06.964Z
Affected
- Apache Traffic Server through 9.2.1
Description
Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server.
This issue affects Apache Traffic Server: through 9.2.1.
References
- https://lists.apache.org/thread/jsl6dfdgs1mjjo1mbtyflyjr7xftswhc
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BOTOM2MFKOLK46Q3BQHO662HTPZFRQUC/
Credits
- Bahruz Jabiyev, Anthony Gavazzi, Engin Kirda, Kaan Onarlioglu, Adi Peleg, Harvey Tuch (finder)
s3_auth plugin problem with hash calculation
CVE-2023-33933 [CVE] [CVE json] [OSV json]
Last updated: 2023-08-31T19:49:23.749Z
Affected
- Apache Traffic Server from 8.0.0 through 9.2.0
Description
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Traffic Server.
This issue affects Apache Traffic Server: from 8.0.0 through 9.2.0.
8.x users should upgrade to 8.1.7 or later versions
9.x users should upgrade to 9.2.1 or later versions
References
Credits
- Masakazu Kitajo (reporter)
Configuration option to block the PUSH method in ATS didn’t work
CVE-2023-30631 [CVE] [CVE json] [OSV json]
Last updated: 2023-06-14T07:44:52.725Z
Affected
- Apache Traffic Server from 8.0.0 through 9.2.0
Description
Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server. The configuration option proxy.config.http.push_method_enabled didn’t function. However, by default the PUSH method is blocked in the ip_allow configuration file.
This issue affects Apache Traffic Server: from 8.0.0 through 9.2.0.
8.x users should upgrade to 8.1.7 or later versions
9.x users should upgrade to 9.2.1 or later versions
References
Credits
- Chris Lemmons (finder)
Invalid Range header causes a crash
CVE-2022-47185 [CVE] [CVE json] [OSV json]
Last updated: 2023-08-09T06:57:36.707Z
Affected
- Apache Traffic Server through 9.2.1
Description
Improper input validation vulnerability on the range header in Apache Software Foundation Apache Traffic Server.
This issue affects Apache Traffic Server: through 9.2.1.
References
Credits
- Katsutoshi Ikenoya (finder)
The TRACE method can be use to disclose network information
CVE-2022-47184 [CVE] [CVE json] [OSV json]
Last updated: 2023-06-14T07:42:29.792Z
Affected
- Apache Traffic Server from 8.0.0 through 9.2.0
Description
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Traffic Server.
This issue affects Apache Traffic Server: 8.0.0 to 9.2.0.
References
Credits
- Martin O’Neal (reporter)
Security issues with the xdebug plugin
CVE-2022-40743 [CVE] [CVE json] [OSV json]
Last updated: 2023-07-17T14:33:07.403Z
Affected
- Apache Traffic Server from 9.0.0 through 9.1.3
Description
Improper Input Validation vulnerability for the xdebug plugin in Apache Software Foundation Apache Traffic Server can lead to cross site scripting and cache poisoning attacks.
This issue affects Apache Traffic Server: 9.0.0 to 9.1.3. Users should upgrade to 9.1.4 or later versions.
References
Credits
- Nick Frost (finder)
Improperly reading the client requests
CVE-2022-37392 [CVE] [CVE json] [OSV json]
Last updated: 2022-12-19T10:58:23.000Z
Affected
- Apache Traffic Server from 8.0.0 through 9.1.3
Description
Improper Check for Unusual or Exceptional Conditions vulnerability in handling the requests to Apache Traffic Server. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.
References
Credits
- Menno de Gier (finder)
Improperly handled requests can cause crashes in specific plugins
CVE-2022-32749 [CVE] [CVE json] [OSV json]
Last updated: 2022-12-19T10:51:20.718Z
Affected
- Apache Traffic Server from 8.0.0 through 9.1.3
Description
Improper Check for Unusual or Exceptional Conditions vulnerability handling requests in Apache Traffic Server allows an attacker to crash the server under certain conditions.
This issue affects Apache Traffic Server: from 8.0.0 through 9.1.3.
References
Credits
- Vijay Mamidi (finder)
HTTP/2 framing vulnerabilities
CVE-2022-31780 [CVE] [CVE json] [OSV json]
Last updated: 2022-08-10T05:45:38.174Z
Affected
- Apache Traffic Server at 8.0.0 to 9.1.2
Description
Improper Input Validation vulnerability in HTTP/2 frame handling of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.
References
Credits
- Apache Traffic Server would like to thank Bahruz Jabiyev, Steven Sprecher, Anthony Gavazzi, Tommaso Innocenti, Kaan Onarlioglu, and Engin Kirda for reporting these issues.
Improper HTTP/2 scheme and method validation
CVE-2022-31779 [CVE] [CVE json] [OSV json]
Last updated: 2022-10-27T00:00:36.092Z
Affected
- Apache Traffic Server at 8.0.0 to 9.1.2
Description
Improper Input Validation vulnerability in HTTP/2 header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.
References
Credits
- Apache Traffic Server would like to thank Dhana Sekaran for reporting this issue.
Transfer-Encoding not treated as hop-by-hop
CVE-2022-31778 [CVE] [CVE json] [OSV json]
Last updated: 2022-08-10T05:44:15.239Z
Affected
- Apache Traffic Server at 8.0.0 to 9.0.2
Description
Improper Input Validation vulnerability in handling the Transfer-Encoding header of Apache Traffic Server allows an attacker to poison the cache. This issue affects Apache Traffic Server 8.0.0 to 9.0.2.
References
Credits
- Apache Traffic Server would like to thank Chris Lemmons for reporting this issue.
Insufficient Validation of HTTP/1.x Headers
CVE-2022-28129 [CVE] [CVE json] [OSV json]
Last updated: 2022-08-10T05:42:44.803Z
Affected
- Apache Traffic Server at 8.0.0 to 9.1.2
Description
Improper Input Validation vulnerability in HTTP/1.1 header parsing of Apache Traffic Server allows an attacker to send invalid headers. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.
References
Credits
- Apache Traffic Server would like to thank Zhang Zeyu for reporting this issue.
Improper input validation on HTTP/2 headers
CVE-2022-25763 [CVE] [CVE json] [OSV json]
Last updated: 2022-10-20T20:25:04.197Z
Affected
- Apache Traffic Server at 8.0.0 to 9.1.2
Description
Improper Input Validation vulnerability in HTTP/2 request validation of Apache Traffic Server allows an attacker to create smuggle or cache poison attacks. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.
References
Credits
- Apache Traffic Server would like to thank Mazakatsu Kitajo, Dhana Sekaran, and Zhang Zeyu for reporting this issue.
Improper authentication vulnerability in TLS origin verification
CVE-2021-44759 [CVE] [CVE json] [OSV json]
Last updated: 2022-03-23T14:03:27.211Z
Affected
- Apache Traffic Server at 8.0.0 to 8.1.0
Description
Improper Authentication vulnerability in TLS origin validation of Apache Traffic Server allows an attacker to create a man in the middle attack. This issue affects Apache Traffic Server 8.0.0 to 8.1.0.
References
Credits
- Apache Traffic Server would like to thank Takuya Kitano for reporting this issue.
HTTP request line fuzzing attacks
CVE-2021-44040 [CVE] [CVE json] [OSV json]
Last updated: 2022-03-23T14:04:02.939Z
Affected
- Apache Traffic Server at 8.0.0 to 8.1.3 and 9.0.0 to 9.1.1
Description
Improper Input Validation vulnerability in request line parsing of Apache Traffic Server allows an attacker to send invalid requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.3 and 9.0.0 to 9.1.1.
References
Credits
- Apache Traffic Server would like to thank Bahruz Jabiyev, Steven Sprecher and Kaan Onarlioglu for reporting these issues. We used his tool t-reqs (https://github.com/bahruzjabiyev/t-reqs-http-fuzzer) for discovering them.
heap-buffer-overflow with stats-over-http plugin
CVE-2021-43082 [CVE] [CVE json] [OSV json]
Last updated: 2021-11-02T21:16:59.675Z
Affected
- Apache Traffic Server at 9.1.0
Description
Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) vulnerability in the stats-over-http plugin of Apache Traffic Server allows an attacker to overwrite memory. This issue affects Apache Traffic Server 9.1.0.
References
Credits
- Apache Traffic Server would like to thank Masori Koshiba for finding this issue.
ATS stops accepting connections on FreeBSD
CVE-2021-41585 [CVE] [CVE json] [OSV json]
Last updated: 2021-11-02T21:16:43.796Z
Affected
- Apache Traffic Server at 7.0.0 to 9.1.0
Description
Improper Input Validation vulnerability in accepting socket connections in Apache Traffic Server allows an attacker to make the server stop accepting new connections. This issue affects Apache Traffic Server 5.0.0 to 9.1.0.
References
Credits
- Apache Traffic Server would like to thank Asbjorn Bjornstad for finding this issue.
Not validating origin TLS certificate
CVE-2021-38161 [CVE] [CVE json] [OSV json]
Last updated: 2021-11-02T21:16:04.785Z
Affected
- Apache Traffic Server at 8.0.0 to 8.0.8
Description
Improper Authentication vulnerability in TLS origin verification of Apache Traffic Server allows for man in the middle attacks. This issue affects Apache Traffic Server 8.0.0 to 8.0.8.
References
Protocol vs scheme mismatch
CVE-2021-37150 [CVE] [CVE json] [OSV json]
Last updated: 2022-08-10T05:43:13.024Z
Affected
- Apache Traffic Server at 8.0.0 to 9.1.2
Description
Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to request secure resources. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.
References
Request Smuggling - multiple attacks
CVE-2021-37149 [CVE] [CVE json] [OSV json]
Last updated: 2021-11-02T21:15:10.588Z
Affected
- Apache Traffic Server at 8.0.0 to 8.1.2 and 9.0.0 to 9.1.0
Description
Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.1.0.
References
Credits
- Apache Traffic Server would like to thank Mattias Grenfeldt and Asta Olofsson for reporting this issue
Request Smuggling - transfer encoding validation
CVE-2021-37148 [CVE] [CVE json] [OSV json]
Last updated: 2021-11-02T21:14:46.545Z
Affected
- Apache Traffic Server at 8.0.0 to 8.1.2 and 9.0.0 to 9.0.1
Description
Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.0.1.
References
Credits
- Apache Traffic Server would like to thank Mattias Grenfeldt and Asta Olofsson for reporting this issue
Request Smuggling - LF line ending
CVE-2021-37147 [CVE] [CVE json] [OSV json]
Last updated: 2021-11-02T21:14:21.298Z
Affected
- Apache Traffic Server at 8.0.0 to 8.1.2 and 9.0.0 to 9.1.0
Description
Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.1.0.
References
Credits
- Apache Traffic Server would like to thank Mattias Grenfeldt and Asta Olofsson for reporting this issue.
Dynamic stack buffer overflow in cachekey plugin
CVE-2021-35474 [CVE] [CVE json] [OSV json]
Last updated: 2021-06-30T07:12:52.360Z
Affected
- Apache Traffic Server at 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1
Description
Stack-based Buffer Overflow vulnerability in cachekey plugin of Apache Traffic Server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.
References
Reading HTTP/2 frames too many times
CVE-2021-32567 [CVE] [CVE json] [OSV json]
Last updated: 2021-06-30T07:12:25.231Z
Affected
- Apache Traffic Server at 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1
Description
Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.
References
Specific sequence of HTTP/2 frames can cause ATS to crash
CVE-2021-32566 [CVE] [CVE json] [OSV json]
Last updated: 2021-06-30T07:11:47.425Z
Affected
- Apache Traffic Server at 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1
Description
Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.
References
HTTP Request Smuggling, content length with invalid charters
CVE-2021-32565 [CVE] [CVE json] [OSV json]
Last updated: 2021-06-28T17:31:31.239Z
Affected
- Apache Traffic Server at 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1
Description
Invalid values in the Content-Length header sent to Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.
References
slicer plugin crash
CVE-2021-27737 [CVE] [CVE json]
Last updated: 2021-05-17T17:41:59.734Z
Affected
- Apache Traffic Server at 9.0.0
Description
Apache Traffic Server 9.0.0 is vulnerable to a remote DOS attack on the experimental Slicer plugin.
Incorrect handling of url fragment leads to cache poisoning
CVE-2021-27577 [CVE] [CVE json] [OSV json]
Last updated: 2021-06-28T17:28:40.345Z
Affected
- Apache Traffic Server at 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1
Description
Incorrect handling of url fragment vulnerability of Apache Traffic Server allows an attacker to poison the cache. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.
References
Apache Traffic Server negative cache option is vulnerable to a cache poisoning attack
CVE-2020-17509 [CVE] [CVE json] [OSV json]
Last updated: 2021-01-11T09:31:44.280Z
Affected
- Apache Traffic Server from Apache Traffic Server through 6.2.3
Description
Apache Traffic Server negative cache option is vulnerable to a cache poisoning attack affecting versions 6.0.0 through 6.2.3, 7.0.0 through 7.1.10, and 8.0.0 through 8.0.7. If you have this option enabled, please upgrade or disable this feature.
References
Apache Traffic Server ESI plugin has a memory disclosure vulnerability
CVE-2020-17508 [CVE] [CVE json] [OSV json]
Last updated: 2021-01-11T09:27:29.639Z
Affected
- Apache Traffic Server from Apache Traffic Server through 6.2.3
Description
The ESI plugin in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.11, and 8.0.0 to 8.1.0 has a memory disclosure vulnerability. If you are running the plugin please upgrade to 7.1.12 or 8.1.1 or later.