Input validation error in Apache Traffic Server - CVE-2023-38522

 

Input validation error in Apache Traffic Server - CVE-2023-38522

Published: August 12, 2024


Vulnerability identifier: #VU95786
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-38522
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Apache Foundation
Affected software:
Apache Traffic Server

Detailed vulnerability description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the affected application accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. A remote attacker can perform the request smuggling and cache poisoning attacks.


How to mitigate CVE-2023-38522

Install updates from vendor's website.

Sources