CVE-2022-31778

CWE-20 — Improper Input Validation5 documents5 sources

Severity

7.5HIGH

EPSS

2.7%

top 14.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Traffic Server Apache Software Foundation Apache Traffic Server Debian Debian Linux

Timeline

PublishedAug 10

Latest updateAug 11

Description

Improper Input Validation vulnerability in handling the Transfer-Encoding header of Apache Traffic Server allows an attacker to poison the cache. This issue affects Apache Traffic Server 8.0.0 to 9.0.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDapache/traffic_server8.0.0 — 8.1.4+1

▶CVEListV5apache_software_foundation/apache_traffic_server8.0.0 to 9.0.2

▶Debiantrafficserver< 8.1.5+ds-1~deb11u1+1

Also affects: Debian Linux 11.0

🔴Vulnerability Details

GHSA

GHSA-w7rf-qxv9-mpv7: Improper Input Validation vulnerability in handling the Transfer-Encoding header of Apache Traffic Server allows an attacker to poison the cache↗2022-08-11

▶

OSV

CVE-2022-31778: Improper Input Validation vulnerability in handling the Transfer-Encoding header of Apache Traffic Server allows an attacker to poison the cache↗2022-08-10

▶

CVEList

Transfer-Encoding not treated as hop-by-hop↗2022-08-10

▶

📋Vendor Advisories

Debian

CVE-2022-31778: trafficserver - Improper Input Validation vulnerability in handling the Transfer-Encoding header...↗2022

▶