CVE-2022-25763

CWE-444 — HTTP Request Smuggling CWE-20 — Improper Input Validation5 documents5 sources

Severity

7.5HIGH

EPSS

0.4%

top 36.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Traffic Server Apache Software Foundation Apache Traffic Server Debian Debian Linux +1 more

Timeline

PublishedAug 10

Latest updateAug 11

Description

Improper Input Validation vulnerability in HTTP/2 request validation of Apache Traffic Server allows an attacker to create smuggle or cache poison attacks. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDapache/traffic_server8.0.0 — 8.1.5+1

▶CVEListV5apache_software_foundation/apache_traffic_server8.0.0 to 9.1.2

▶Debiantrafficserver< 8.1.5+ds-1~deb11u1+1

Also affects: Debian Linux 11.0, Fedora 35, 36

🔴Vulnerability Details

GHSA

GHSA-mp6g-w483-p43g: Improper Input Validation vulnerability in HTTP/2 request validation of Apache Traffic Server allows an attacker to create smuggle or cache poison att↗2022-08-11

▶

OSV

CVE-2022-25763: Improper Input Validation vulnerability in HTTP/2 request validation of Apache Traffic Server allows an attacker to create smuggle or cache poison att↗2022-08-10

▶

CVEList

Improper input validation on HTTP/2 headers↗2022-08-10

▶

📋Vendor Advisories

Debian

CVE-2022-25763: trafficserver - Improper Input Validation vulnerability in HTTP/2 request validation of Apache T...↗2022

▶