CVE-2021-37147

CWE-20 — Improper Input Validation CWE-444 — HTTP Request Smuggling5 documents5 sources

Severity

7.5HIGH

EPSS

0.7%

top 28.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Traffic Server Apache Software Foundation Apache Traffic Server Debian Debian Linux

Timeline

PublishedNov 3

Latest updateMay 24

Description

Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.1.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDapache/traffic_server8.0.0 — 8.1.2+1

▶CVEListV5apache_software_foundation/apache_traffic_server8.0.0 to 8.1.2 and 9.0.0 to 9.1.0

▶Debiantrafficserver< 8.1.1+ds-1.1+deb11u1+1

Also affects: Debian Linux 10.0, 11.0

Patches

Patch: lists.apache.org ↗Patch: lists.apache.org ↗

🔴Vulnerability Details

GHSA

GHSA-2c64-8v4j-vw3m: Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests↗2022-05-24

▶

CVEList

Request Smuggling - LF line ending↗2021-11-03

▶

OSV

CVE-2021-37147: Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests↗2021-11-03

▶

📋Vendor Advisories

Debian

CVE-2021-37147: trafficserver - Improper input validation vulnerability in header parsing of Apache Traffic Serv...↗2021

▶