Description

Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.

Remediation

References

CVE-2023-38522

Related Vulnerabilities

Apache HTTP Server Improper Authentication Vulnerability (CVE-2017-3167)

XWiki Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2023-29515)

PrestaShop Improper Neutralization of Formula Elements in a CSV File Vulnerability (CVE-2021-21302)

Oracle JRE CVE-2013-2449 Vulnerability (CVE-2013-2449)

TYPO3 Allocation of Resources Without Limits or Throttling Vulnerability (CVE-2022-36104)

Severity

High

Classification

CVE-2023-38522 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Missing Update Known Vulnerabilities