Debian Trafficserver vulnerabilities

CVE-2025-58136 [HIGH] CVE-2025-58136: trafficserver - A bug in POST request handling causes a crash under a certain condition. This i... A bug in POST request handling causes a crash under a certain condition. This issue affects Apache Traffic Server: from 10.0.0 through 10.1.1, from 9.0.0 through 9.2.12. Users are recommended to upgrade to version 10.1.2 or 9.2.13, which fix the issue. A workaround for older versions is to set proxy.config.http.request_buffer_enabled to 0 (the default value is

CVE-2025-31698 [HIGH] CVE-2025-31698: trafficserver - ACL configured in ip_allow.config or remap.config does not use IP addresses that... ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol. Users can use a new setting (proxy.config.acl.subjects) to choose which IP addresses to use for the ACL if Apache Traffic Server is configured to accept PROXY protocol. This issue affects undefined: from 10.0.0 through 10.0.6, from 9.0.0 through 9.2

CVE-2025-49763 [HIGH] CVE-2025-49763: trafficserver - ESI plugin does not have the limit for maximum inclusion depth, and that allows ... ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted. Users can use a new setting for the plugin (--max-inclusion-depth) to limit it. This issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10. Users are recommended to upgrade to

CVE-2025-65114 [HIGH] CVE-2025-65114: trafficserver - Apache Traffic Server allows request smuggling if chunked messages are malformed... Apache Traffic Server allows request smuggling if chunked messages are malformed. This issue affects Apache Traffic Server: from 9.0.0 through 9.2.12, from 10.0.0 through 10.1.1. Users are recommended to upgrade to version 9.2.13 or 10.1.2, which fix the issue. Scope: local bookworm: resolved (fixed in 9.2.5+ds-0+deb12u4) bullseye: open sid: open

CVE-2024-50306 [CRITICAL] CVE-2024-50306: trafficserver - Unchecked return value can allow Apache Traffic Server to retain privileges on s... Unchecked return value can allow Apache Traffic Server to retain privileges on startup. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.5, from 10.0.0 through 10.0.1. Users are recommended to upgrade to version 9.2.6 or 10.0.2, which fixes the issue. Scope: local bookworm: resolved (fixed in 9.2.5+ds-0+deb12u2) bullseye: resolved (fixed in

CVE-2024-38479 [HIGH] CVE-2024-38479: trafficserver - Improper Input Validation vulnerability in Apache Traffic Server. This issue af... Improper Input Validation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from 9.0.0 through 9.2.5. Users are recommended to upgrade to version 9.2.6, which fixes the issue, or 10.0.2, which does not have the issue. Scope: local bookworm: resolved (fixed in 9.2.5+ds-0+deb12u2) bullseye: resolved (fix

CVE-2024-31309 [HIGH] CVE-2024-31309: trafficserver - HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more r... HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server. Version from 8.0.0 through 8.1.9, from 9.0.0 through 9.2.3 are affected. Users can set a new setting (proxy.config.http2.max_continuation_frames_per_minute) to limit the number of CONTINUATION frames per minute. ATS does have a fixed amount of memory a reque

CVE-2024-35161 [HIGH] CVE-2024-35161: trafficserver - Apache Traffic Server forwards malformed HTTP chunked trailer section to origin ... Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users can set a new setting (proxy.config.http.drop_chunked_tra

CVE-2024-50305 [HIGH] CVE-2024-50305: trafficserver - Valid Host header field can cause Apache Traffic Server to crash on some platfor... Valid Host header field can cause Apache Traffic Server to crash on some platforms. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.5. Users are recommended to upgrade to version 9.2.6, which fixes the issue, or 10.0.2, which does not have the issue. Scope: local bookworm: resolved (fixed in 9.2.5+ds-0+deb12u2) bullseye: open sid: open

CVE-2024-53868 [HIGH] CVE-2024-53868: trafficserver - Apache Traffic Server allows request smuggling if chunked messages are malformed... Apache Traffic Server allows request smuggling if chunked messages are malformed. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.9, from 10.0.0 through 10.0.4. Users are recommended to upgrade to version 9.2.10 or 10.0.5, which fixes the issue. Scope: local bookworm: resolved (fixed in 9.2.5+ds-0+deb12u3) bullseye: open sid: open

CVE-2024-35296 [HIGH] CVE-2024-35296: trafficserver - Invalid Accept-Encoding header can cause Apache Traffic Server to fail cache loo... Invalid Accept-Encoding header can cause Apache Traffic Server to fail cache lookup and force forwarding requests. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue. Scope: local bookworm: resolved (fixed in 9.2.5+ds-0+deb12u1) bullse

CVE-2024-56202 [MEDIUM] CVE-2024-56202: trafficserver - Expected Behavior Violation vulnerability in Apache Traffic Server. This issue ... Expected Behavior Violation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3. Users are recommended to upgrade to versions 9.2.9 or 10.0.4 or newer, which fixes the issue. Scope: local bookworm: resolved (fixed in 9.2.5+ds-0+deb12u2) bullseye: open sid: open

CVE-2024-56195 [MEDIUM] CVE-2024-56195: trafficserver - Improper Access Control vulnerability in Apache Traffic Server. This issue affe... Improper Access Control vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.8, from 10.0.0 through 10.0.3. Users are recommended to upgrade to version 9.2.9 or 10.0.4, which fixes the issue. Scope: local bookworm: resolved (fixed in 9.2.5+ds-0+deb12u2) bullseye: open sid: open

CVE-2024-38311 [MEDIUM] CVE-2024-38311: trafficserver - Improper Input Validation vulnerability in Apache Traffic Server. This issue af... Improper Input Validation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3. Users are recommended to upgrade to version 9.2.9 or 10.0.4, which fixes the issue. Scope: local bookworm: resolved (fixed in 9.2.5+ds-0+deb12u2) bullseye: open sid: open

CVE-2024-56196 [MEDIUM] CVE-2024-56196: trafficserver - Improper Access Control vulnerability in Apache Traffic Server. This issue affe... Improper Access Control vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 10.0.0 through 10.0.3. Users are recommended to upgrade to version 10.0.4, which fixes the issue. Scope: local bookworm: resolved bullseye: resolved sid: resolved

CVE-2023-33934 [CRITICAL] CVE-2023-33934: trafficserver - Improper Input Validation vulnerability in Apache Software Foundation Apache Tra... Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: through 9.2.1. Scope: local bookworm: resolved (fixed in 9.2.3+ds-1+deb12u1) bullseye: resolved (fixed in 8.1.9+ds-1~deb11u1) sid: resolved (fixed in 9.2.2+ds-1)

CVE-2023-30631 [HIGH] CVE-2023-30631: trafficserver - Improper Input Validation vulnerability in Apache Software Foundation Apache Tra... Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server. The configuration option proxy.config.http.push_method_enabled didn't function. However, by default the PUSH method is blocked in the ip_allow configuration file.This issue affects Apache Traffic Server: from 8.0.0 through 9.2.0. 8.x users should upgrade to 8.1.7 or la

CVE-2023-33933 [HIGH] CVE-2023-33933: trafficserver - Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apac... Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: from 8.0.0 through 9.2.0. 8.x users should upgrade to 8.1.7 or later versions 9.x users should upgrade to 9.2.1 or later versions Scope: local bookworm: resolved (fixed in 9.2.0+ds-2+deb12u1) bul

CVE-2023-38522 [HIGH] CVE-2023-38522: trafficserver - Apache Traffic Server accepts characters that are not allowed for HTTP field nam... Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users are recommen

CVE-2023-39456 [HIGH] CVE-2023-39456: trafficserver - Improper Input Validation vulnerability in Apache Traffic Server with malformed ... Improper Input Validation vulnerability in Apache Traffic Server with malformed HTTP/2 frames.This issue affects Apache Traffic Server: from 9.0.0 through 9.2.2. Users are recommended to upgrade to version 9.2.3, which fixes the issue. Scope: local bookworm: resolved (fixed in 9.2.3+ds-1+deb12u1) bullseye: resolved sid: resolved (fixed in 9.2.3+ds-1)