Input validation error in Apache Traffic Server - CVE-2023-38522
Published: August 12, 2024
Vulnerability identifier: #VU95786
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-38522
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Apache Foundation
Affected software:
Apache Traffic Server
Apache Traffic Server
Detailed vulnerability description
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the affected application accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. A remote attacker can perform the request smuggling and cache poisoning attacks.
How to mitigate CVE-2023-38522
Install updates from vendor's website.