This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Apache First view 2014-08-22
Product Traffic Server Last view 2021-06-30
Version 4.1.0 Type Application
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:apache:traffic_server

Activity : Overall

Related : CVE

  Date Alert Description
9.8 2021-06-30 CVE-2021-35474

Stack-based Buffer Overflow vulnerability in cachekey plugin of Apache Traffic Server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.

7.5 2021-06-30 CVE-2021-32567

Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.

7.5 2021-06-30 CVE-2021-32566

Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.

7.5 2021-06-29 CVE-2021-32565

Invalid values in the Content-Length header sent to Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.

7.5 2021-06-29 CVE-2021-27577

Incorrect handling of url fragment vulnerability of Apache Traffic Server allows an attacker to poison the cache. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.

7.5 2021-01-11 CVE-2020-17509

ATS negative cache option is vulnerable to a cache poisoning attack. If you have this option enabled, please upgrade or disable this feature. Apache Traffic Server versions 7.0.0 to 7.1.11 and 8.0.0 to 8.1.0 are affected.

7.5 2021-01-11 CVE-2020-17508

The ATS ESI plugin has a memory disclosure vulnerability. If you are running the plugin please upgrade. Apache Traffic Server versions 7.0.0 to 7.1.11 and 8.0.0 to 8.1.0 are affected.

7.5 2020-06-24 CVE-2020-9494

Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to 8.0.7 is vulnerable to certain types of HTTP/2 HEADERS frames that can cause the server to allocate a large amount of memory and spin the thread.

7.5 2020-04-27 CVE-2020-9481

Apache ATS 6.0.0 to 6.2.3, 7.0.0 to 7.1.9, and 8.0.0 to 8.0.6 is vulnerable to a HTTP/2 slow read attack.

9.8 2020-03-23 CVE-2020-1944

There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling attack and Transfer-Encoding and Content length headers. Upgrade to versions 7.1.9 and 8.0.6 or later versions.

9.8 2020-03-23 CVE-2019-17565

There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling attack and chunked encoding. Upgrade to versions 7.1.9 and 8.0.6 or later versions.

9.8 2020-03-23 CVE-2019-17559

There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling attack and scheme parsing. Upgrade to versions 7.1.9 and 8.0.6 or later versions.

7.5 2019-10-22 CVE-2019-10079

Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier versions of Apache Traffic Server didn't limit the number of setting frames sent from the client using the HTTP/2 protocol. Users should upgrade to Apache Traffic Server 7.1.7, 8.0.4, or later versions.

7.5 2019-03-07 CVE-2018-11783

sslheaders plugin extracts information from the client certificate and sets headers in the request based on the configuration of the plugin. The plugin doesn't strip the headers from the request in some scenarios. This problem was discovered in versions 6.0.0 to 6.0.3, 7.0.0 to 7.1.5, and 8.0.0 to 8.0.1.

5.3 2018-08-29 CVE-2018-8040

Pages that are rendered using the ESI plugin can have access to the cookie header when the plugin is configured not to allow access. This affects Apache Traffic Server (ATS) versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.

7.5 2018-08-29 CVE-2018-8022

A carefully crafted invalid TLS handshake can cause Apache Traffic Server (ATS) to segfault. This affects version 6.2.2. To resolve this issue users running 6.2.2 should upgrade to 6.2.3 or later versions.

5.3 2018-08-29 CVE-2018-8005

When there are multiple ranges in a range request, Apache Traffic Server (ATS) will read the entire object from cache. This can cause performance problems with large objects in cache. This affects versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x users should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.

6.5 2018-08-29 CVE-2018-8004

There are multiple HTTP smuggling and cache poisoning issues when clients making malicious requests interact with Apache Traffic Server (ATS). This affects versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.

7.5 2018-08-29 CVE-2018-1318

Adding method ACLs in remap.config can cause a segfault when the user makes a carefully crafted request. This affects versions Apache Traffic Server (ATS) 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.

7.5 2018-02-27 CVE-2017-7671

There is a DOS attack vulnerability in Apache Traffic Server (ATS) 5.2.0 to 5.3.2, 6.0.0 to 6.2.0, and 7.0.0 with the TLS handshake. This issue can cause the server to coredump.

8.6 2018-02-27 CVE-2017-5660

There is a vulnerability in Apache Traffic Server (ATS) 6.2.0 and prior and 7.0.0 and prior with the Host header and line folding. This can have issues when interacting with upstream proxies and the wrong host being used.

7.5 2017-04-17 CVE-2017-5659

Apache Traffic Server before 6.2.1 generates a coredump when there is a mismatch between content length and chunked encoding.

5 2015-01-13 CVE-2014-10022

Apache Traffic Server before 5.1.2 allows remote attackers to cause a denial of service via unspecified vectors, related to internal buffer sizing.

10 2014-08-22 CVE-2014-3525

Unspecified vulnerability in Apache Traffic Server 3.x through 3.2.5, 4.x before 4.2.1.1, and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CWE : Common Weakness Enumeration

%idName
31% (7) CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggli...
31% (7) CWE-20 Improper Input Validation
9% (2) CWE-770 Allocation of Resources Without Limits or Throttling
9% (2) CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
4% (1) CWE-787 Out-of-bounds Write
4% (1) CWE-668 Exposure of Resource to Wrong Sphere
4% (1) CWE-200 Information Exposure
4% (1) CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer

Nessus® Vulnerability Scanner

id Description
2018-09-04 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4282.nasl - Type: ACT_GATHER_INFO
2018-03-08 Name: The remote caching server is affected by an input-validation vulnerability.
File: apache_traffic_server_712.nasl - Type: ACT_GATHER_INFO
2018-03-08 Name: The remote caching server is affected by an input-validation vulnerability.
File: apache_traffic_server_712_tls_handshake.nasl - Type: ACT_GATHER_INFO
2018-03-05 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4128.nasl - Type: ACT_GATHER_INFO
2015-07-06 Name: The remote Fedora host is missing a security update.
File: fedora_2015-10520.nasl - Type: ACT_GATHER_INFO
2015-07-06 Name: The remote Fedora host is missing a security update.
File: fedora_2015-10524.nasl - Type: ACT_GATHER_INFO
2015-01-22 Name: The remote caching server is affected by a denial of service vulnerability.
File: apache_traffic_server_501.nasl - Type: ACT_GATHER_INFO
2015-01-22 Name: The remote caching server is affected by a denial of service vulnerability.
File: apache_traffic_server_512.nasl - Type: ACT_GATHER_INFO
2014-09-08 Name: The remote FreeBSD host is missing a security-related update.
File: freebsd_pkg_6318b303350711e4b76c0011d823eebd.nasl - Type: ACT_GATHER_INFO
2014-08-09 Name: The remote Fedora host is missing a security update.
File: fedora_2014-8790.nasl - Type: ACT_GATHER_INFO