CVE-2022-28129 — Improper Input Validation in Apache Traffic Server

CWE-20 — Improper Input Validation5 documents5 sources

Severity

7.5HIGHNVD

EPSS

4.6%

top 10.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Traffic Server Apache Software Foundation Apache Traffic Server Debian Linux +1 more

Timeline

PublishedAug 10

Latest updateAug 11

Description

Improper Input Validation vulnerability in HTTP/1.1 header parsing of Apache Traffic Server allows an attacker to send invalid headers. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDapache/traffic_server8.0.0 — 8.1.4+1

▶CVEListV5apache_software_foundation/apache_traffic_server8.0.0 to 9.1.2

Also affects: Debian Linux 10.0, 11.0, Fedora 35, 36

🔴Vulnerability Details

GHSA

GHSA-6gv5-5975-mh35: Improper Input Validation vulnerability in HTTP/1↗2022-08-11

▶

OSV

CVE-2022-28129: Improper Input Validation vulnerability in HTTP/1↗2022-08-10

▶

CVEList

Insufficient Validation of HTTP/1.x Headers↗2022-08-10

▶

📋Vendor Advisories

Debian

CVE-2022-28129: trafficserver - Improper Input Validation vulnerability in HTTP/1.1 header parsing of Apache Tra...↗2022

▶