CVE-2021-37150 — Improper Input Validation in Apache Traffic Server

CWE-20 — Improper Input Validation5 documents5 sources

Severity

7.5HIGHNVD

EPSS

1.2%

top 21.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Traffic Server Apache Software Foundation Apache Traffic Server Debian Linux +1 more

Timeline

PublishedAug 10

Latest updateAug 11

Description

Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to request secure resources. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDapache/traffic_server8.0.0 — 8.1.4+1

▶CVEListV5apache_software_foundation/apache_traffic_server8.0.0 to 9.1.2

Also affects: Debian Linux 10.0, 11.0, Fedora 35, 36

🔴Vulnerability Details

GHSA

GHSA-qp2r-xr6f-7jm8: Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to request secure resources↗2022-08-11

▶

OSV

CVE-2021-37150: Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to request secure resources↗2022-08-10

▶

CVEList

Protocol vs scheme mismatch↗2022-08-10

▶

📋Vendor Advisories

Debian

CVE-2021-37150: trafficserver - Improper Input Validation vulnerability in header parsing of Apache Traffic Serv...↗2021

▶