CVE-2023-30631 — Improper Input Validation in Apache Traffic Server

CWE-20 — Improper Input Validation6 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.7%

top 28.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Traffic Server Apache Software Foundation Apache Traffic Server Debian Linux +1 more

Timeline

PublishedJun 14

Description

Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server. The configuration option proxy.config.http.push_method_enabled didn't function. However, by default the PUSH method is blocked in the ip_allow configuration file.This issue affects Apache Traffic Server: from 8.0.0 through 9.2.0. 8.x users should upgrade to 8.1.7 or later versions 9.x users should upgrade to 9.2.1 or later versions

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5apache_software_foundation/apache_traffic_server8.0.0 — 9.2.0

▶NVDapache/traffic_server8.0.0 — 8.1.7+1

Also affects: Debian Linux 10.0, 11.0, 12.0, Fedora 37, 38

🔴Vulnerability Details

GHSA

GHSA-5rc2-qffv-3c8p: Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server↗2023-06-14

▶

OSV

CVE-2023-30631: Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server↗2023-06-14

▶

CVEList

Apache Traffic Server: Configuration option to block the PUSH method in ATS didn't work↗2023-06-14

▶

OSV

golang-1.18 vulnerabilities↗2023-04-25

▶

📋Vendor Advisories

Debian

CVE-2023-30631: trafficserver - Improper Input Validation vulnerability in Apache Software Foundation Apache Tra...↗2023

▶