CVE-2017-5660Improper Input Validation in Apache Traffic Server

CWE-20Improper Input Validation8 documents6 sources
Severity
8.6HIGHNVD
EPSS
2.6%
top 14.40%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Apache Traffic ServerApache Software Foundation Apache Traffic ServerDebian Linux
Timeline
PublishedFeb 27
Latest updateMay 14

Description

There is a vulnerability in Apache Traffic Server (ATS) 6.2.0 and prior and 7.0.0 and prior with the Host header and line folding. This can have issues when interacting with upstream proxies and the wrong host being used.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:NExploitability: 3.9 | Impact: 4.0

Affected Packages2 packages

CVEListV5apache_software_foundation/apache_traffic_server6.2.0 and prior, 7.0.0 and prior+1

Also affects: Debian Linux 9.0

🔴Vulnerability Details

3
GHSA
GHSA-6qxx-fh8v-m9jv: There is a vulnerability in Apache Traffic Server (ATS) 62022-05-14
OSV
CVE-2017-5660: There is a vulnerability in Apache Traffic Server (ATS) 62018-02-27
CVEList
CVE-2017-5660: There is a vulnerability in Apache Traffic Server (ATS) 62018-02-27

📋Vendor Advisories

1
Debian
CVE-2017-5660: trafficserver - There is a vulnerability in Apache Traffic Server (ATS) 6.2.0 and prior and 7.0....2017

💬Community

3
Bugzilla
CVE-2017-5660 CVE-2017-7671 trafficserver: various flaws [fedora-all]2018-03-02
Bugzilla
CVE-2017-5660 trafficserver: Mishandled folded host header in MIME.cc can lead to incorrect upstream proxies being used2018-03-02
Bugzilla
CVE-2017-5660 CVE-2017-7671 trafficserver: various flaws [epel-all]2018-03-02
CVE-2017-5660 — Improper Input Validation in Apache | cvebase