CVE-2018-8004HTTP Request Smuggling in Apache Traffic Server

CWE-444HTTP Request Smuggling5 documents5 sources
Severity
6.5MEDIUMNVD
EPSS
2.6%
top 14.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Apache Traffic ServerApache Software Foundation Apache Traffic ServerDebian Linux
Timeline
PublishedAug 29
Latest updateMay 14

Description

There are multiple HTTP smuggling and cache poisoning issues when clients making malicious requests interact with Apache Traffic Server (ATS). This affects versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDapache/traffic_server6.0.06.2.2+1
CVEListV5apache_software_foundation/apache_traffic_server6.0.0 to 6.2.2, 7.0.0 to 7.1.3+1

Also affects: Debian Linux 9.0

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
GHSA-whhq-69jf-g65h: There are multiple HTTP smuggling and cache poisoning issues when clients making malicious requests interact with Apache Traffic Server (ATS)2022-05-14
CVEList
CVE-2018-8004: There are multiple HTTP smuggling and cache poisoning issues when clients making malicious requests interact with Apache Traffic Server (ATS)2018-08-29
OSV
CVE-2018-8004: There are multiple HTTP smuggling and cache poisoning issues when clients making malicious requests interact with Apache Traffic Server (ATS)2018-08-29

📋Vendor Advisories

1
Debian
CVE-2018-8004: trafficserver - There are multiple HTTP smuggling and cache poisoning issues when clients making...2018
CVE-2018-8004 — HTTP Request Smuggling in Apache | cvebase