CVE-2022-31779

CWE-20 — Improper Input Validation5 documents5 sources

Severity

7.5HIGH

EPSS

3.5%

top 12.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Traffic Server Apache Software Foundation Apache Traffic Server Debian Debian Linux +1 more

Timeline

PublishedAug 10

Latest updateAug 11

Description

Improper Input Validation vulnerability in HTTP/2 header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDapache/traffic_server8.0.0 — 8.1.4+1

▶CVEListV5apache_software_foundation/apache_traffic_server8.0.0 to 9.1.2

▶Debiantrafficserver< 8.1.5+ds-1~deb11u1+1

Also affects: Debian Linux 11.0, Fedora 35, 36

🔴Vulnerability Details

GHSA

GHSA-449r-qg4g-v772: Improper Input Validation vulnerability in HTTP/2 header parsing of Apache Traffic Server allows an attacker to smuggle requests↗2022-08-11

▶

OSV

CVE-2022-31779: Improper Input Validation vulnerability in HTTP/2 header parsing of Apache Traffic Server allows an attacker to smuggle requests↗2022-08-10

▶

CVEList

Improper HTTP/2 scheme and method validation↗2022-08-10

▶

📋Vendor Advisories

Debian

CVE-2022-31779: trafficserver - Improper Input Validation vulnerability in HTTP/2 header parsing of Apache Traff...↗2022

▶