Severity
Medium
Analysis Summary
CVE-2024-35296 CVSS:5.3
Apache Traffic Server is vulnerable to a denial of service, caused by a improper validation of Accept-Encoding. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2023-38522 CVSS:6.5
Apache Traffic Server is vulnerable to HTTP request smuggling, caused by improper field name validation. By sending a specially crafted HTTP(S) header, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVE-2024-35161 CVSS:6.5
Apache Traffic Server is vulnerable to HTTP request smuggling, caused by improper chunked trailer section validation. By sending a specially crafted HTTP(S) header, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
Impact
- Denial of Service
- Gain Access
Indicators of Compromise
CVE
- CVE-2024-35296
- CVE-2023-38522
- CVE-2024-35161
Affected Vendors
Affected Products
- Apache Traffic Server 9.0.0
- Apache Traffic Server 8.0.0
- Apache Traffic Server 9.2.4
- Apache Traffic Server 8.1.10
Remediation
Upgrade to the latest version of Apache Traffic Server, available from the Apache Website.