CVE-2018-8040Resource Exposure in Apache Traffic Server

CWE-668Resource Exposure5 documents5 sources
Severity
5.3MEDIUMNVD
EPSS
7.8%
top 8.00%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Apache Traffic ServerApache Software Foundation Apache Traffic ServerDebian Linux
Timeline
PublishedAug 29
Latest updateMay 13

Description

Pages that are rendered using the ESI plugin can have access to the cookie header when the plugin is configured not to allow access. This affects Apache Traffic Server (ATS) versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

NVDapache/traffic_server6.0.06.2.2+1
CVEListV5apache_software_foundation/apache_traffic_server6.0.0 to 6.2.2, 7.0.0 to 7.1.3+1

Also affects: Debian Linux 9.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
GHSA-g5v3-3xfp-hgx6: Pages that are rendered using the ESI plugin can have access to the cookie header when the plugin is configured not to allow access2022-05-13
OSV
CVE-2018-8040: Pages that are rendered using the ESI plugin can have access to the cookie header when the plugin is configured not to allow access2018-08-29
CVEList
CVE-2018-8040: Pages that are rendered using the ESI plugin can have access to the cookie header when the plugin is configured not to allow access2018-08-29

📋Vendor Advisories

1
Debian
CVE-2018-8040: trafficserver - Pages that are rendered using the ESI plugin can have access to the cookie heade...2018
CVE-2018-8040 — Resource Exposure in Apache | cvebase