CVE-2010-2952 — Improper Input Validation in Apache Traffic Server

CWE-20 — Improper Input Validation4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

1.2%

top 21.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Traffic Server

Timeline

PublishedSep 13

Latest updateMay 14

Description

Apache Traffic Server before 2.0.1, and 2.1.x before 2.1.2-unstable, does not properly choose DNS source ports and transaction IDs, and does not properly use DNS query fields to validate responses, which makes it easier for man-in-the-middle attackers to poison the internal DNS cache via a crafted response.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

▶NVDapache/traffic_server2.0.0+2

🔴Vulnerability Details

GHSA

GHSA-29m6-68fv-pgx2: Apache Traffic Server before 2↗2022-05-14

▶

CVEList

CVE-2010-2952: Apache Traffic Server before 2↗2010-09-13

▶

📋Vendor Advisories

Debian

CVE-2010-2952: trafficserver - Apache Traffic Server before 2.0.1, and 2.1.x before 2.1.2-unstable, does not pr...↗2010

▶