CVE-2021-37149 — Improper Input Validation in Apache Traffic Server

CWE-20 — Improper Input Validation5 documents5 sources

Severity

7.5HIGHNVD

EPSS

1.0%

top 22.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Traffic Server Apache Software Foundation Apache Traffic Server Debian Linux

Timeline

PublishedNov 3

Latest updateMay 24

Description

Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.1.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDapache/traffic_server8.0.0 — 8.1.2+1

▶CVEListV5apache_software_foundation/apache_traffic_server8.0.0 to 8.1.2 and 9.0.0 to 9.1.0

Also affects: Debian Linux 10.0, 11.0

Patches

Patch: lists.apache.org ↗Patch: lists.apache.org ↗

🔴Vulnerability Details

GHSA

GHSA-c3mx-fhwm-6r53: Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests↗2022-05-24

▶

OSV

CVE-2021-37149: Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests↗2021-11-03

▶

CVEList

Request Smuggling - multiple attacks↗2021-11-03

▶

📋Vendor Advisories

Debian

CVE-2021-37149: trafficserver - Improper Input Validation vulnerability in header parsing of Apache Traffic Serv...↗2021

▶