CVE-2021-37148

CWE-20Improper Input Validation5 documents5 sources
Severity
7.5HIGH
EPSS
1.0%
top 22.94%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Apache Traffic ServerApache Software Foundation Apache Traffic ServerDebian Debian Linux
Timeline
PublishedNov 3
Latest updateMay 24

Description

Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.0.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDapache/traffic_server8.0.08.1.2+1
CVEListV5apache_software_foundation/apache_traffic_server8.0.0 to 8.1.2 and 9.0.0 to 9.0.1
Debiantrafficserver< 8.1.1+ds-1.1+deb11u1+1

Also affects: Debian Linux 10.0, 11.0

Patches

Patch: lists.apache.orgPatch: lists.apache.org

🔴Vulnerability Details

3
GHSA
GHSA-p9mw-v4q4-qhvj: Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests2022-05-24
CVEList
Request Smuggling - transfer encoding validation2021-11-03
OSV
CVE-2021-37148: Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests2021-11-03

📋Vendor Advisories

1
Debian
CVE-2021-37148: trafficserver - Improper input validation vulnerability in header parsing of Apache Traffic Serv...2021
CVE-2021-37148 (HIGH CVSS 7.5) | Improper input validation vulnerabi | cvebase.io