CVE-2020-9494 — Allocation of Resources Without Limits or Throttling in Apache Traffic Server

CWE-770 — Allocation of Resources Without Limits or Throttling CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-502 — Deserialization of Untrusted Data7 documents7 sources

Severity

7.5HIGHNVD

GHSA7.0

EPSS

3.2%

top 13.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Traffic Server Apache Software Foundation Apache Traffic Server Debian Linux

Timeline

PublishedJun 24

Latest updateMay 24

Description

Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to 8.0.7 is vulnerable to certain types of HTTP/2 HEADERS frames that can cause the server to allocate a large amount of memory and spin the thread.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDapache/traffic_server6.0.0 — 6.2.3+2

▶CVEListV5apache_software_foundation/apache_traffic_server6.0.0 to 6.2.3, 7.0.0 to 7.1.10, 8.0.0 to 8.0.7+2

Also affects: Debian Linux 10.0

🔴Vulnerability Details

GHSA

GHSA-cw5m-934f-xqmc: Apache Traffic Server 6↗2022-05-24

▶

GHSA

Potential remote code execution in Apache Tomcat↗2021-03-19

▶

CVEList

CVE-2020-9494: Apache Traffic Server 6↗2020-06-24

▶

OSV

CVE-2020-9494: Apache Traffic Server 6↗2020-06-24

▶

📋Vendor Advisories

Red Hat

tomcat: Incomplete fix for CVE-2020-9484 (RCE via session persistence)↗2021-03-01

▶

Debian

CVE-2020-9494: trafficserver - Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to 8.0.7 is vul...↗2020

▶