CVE-2023-38522 — HTTP Request Smuggling in Apache Traffic Server

CWE-444 — HTTP Request Smuggling CWE-20 — Improper Input Validation CWE-86 — Improper Neutralization of Invalid Characters in Identifiers in Web Pages5 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 41.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Traffic Server Apache Software Foundation Apache Traffic Server

Timeline

PublishedJul 26

Description

Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDapache/traffic_server8.0.0 — 8.1.11+1

▶CVEListV5apache_software_foundation/apache_traffic_server8.0.0 — 8.1.10+1

🔴Vulnerability Details

GHSA

GHSA-68qf-xhq3-9qj5: Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers↗2024-07-26

▶

OSV

CVE-2023-38522: Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers↗2024-07-26

▶

CVEList

Apache Traffic Server: Incomplete field name check allows request smuggling↗2024-07-26

▶

📋Vendor Advisories

Debian

CVE-2023-38522: trafficserver - Apache Traffic Server accepts characters that are not allowed for HTTP field nam...↗2023

▶