SB2020032414 - Multiple vulnerabilities in Apache Traffic Server

Security Bulletin ID SB2020032414

Severity

Medium

Patch available

YES

Number of vulnerabilities 3

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2019-17565)

The vulnerability allows a remote attacker to perform HTTP request smuggling attack.

The vulnerability exists due to improper input validation in HTTP headers and chunked encoding. A remote attacker can send a specially crafted HTTP request and perform HTTP request smuggling attack.

2) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2019-17559)

The vulnerability allows a remote attacker to perform HTTP request smuggling attack.

The vulnerability exists due to improper input validation in HTTP headers and scheme parsing. A remote attacker can send a specially crafted HTTP request and perform HTTP request smuggling attack.

3) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2020-1944)

The vulnerability allows a remote attacker to perform HTTP request smuggling attack.

The vulnerability exists due to improper input validation in HTTP headers and a Content-Length header. A remote attacker can send a specially crafted HTTP request and perform HTTP request smuggling attack.

Remediation

Install update from vendor's website.

References

https://lists.apache.org/thread.html/r99d18d0bc4daa05e7d0e5a63e0e22701a421b2ef5a8f4f7694c43869%40%3Cannounce.trafficserver.apache.org%3E

SB2020032414 - Multiple vulnerabilities in Apache Traffic Server

Breakdown by Severity

Description

Remediation

References

Please verify you're human