CVE-2021-32565

CWE-444HTTP Request Smuggling5 documents5 sources
Severity
7.5HIGH
EPSS
5.7%
top 9.61%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Apache Traffic ServerApache Software Foundation Apache Traffic ServerDebian Debian Linux
Timeline
PublishedJun 29
Latest updateMay 24

Description

Invalid values in the Content-Length header sent to Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDapache/traffic_server7.0.07.1.12+2
CVEListV5apache_software_foundation/apache_traffic_serverApache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1
Debiantrafficserver< 8.1.1+ds-1.1+1

Also affects: Debian Linux 10.0

🔴Vulnerability Details

3
GHSA
GHSA-mpgf-5wcr-9hgg: Invalid values in the Content-Length header sent to Apache Traffic Server allows an attacker to smuggle requests2022-05-24
CVEList
HTTP Request Smuggling, content length with invalid charters2021-06-29
OSV
CVE-2021-32565: Invalid values in the Content-Length header sent to Apache Traffic Server allows an attacker to smuggle requests2021-06-29

📋Vendor Advisories

1
Debian
CVE-2021-32565: trafficserver - Invalid values in the Content-Length header sent to Apache Traffic Server allows...2021
CVE-2021-32565 (HIGH CVSS 7.5) | Invalid values in the Content-Lengt | cvebase.io