CVE-2018-8004

There are multiple HTTP smuggling and cache poisoning issues when clients making malicious requests interact with Apache Traffic Server (ATS). This affects versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.

CVSS v3.0 6.5 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.5^/10

CVSS v3.0 : MEDIUM

Vector : AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:N/I:P/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://lists.apache.org/thread.html/7df882eb09029a4460768a61f88a30c9c30c9dc88e9bcc6e19ba24d5@%3Cusers.trafficserver.apache.org%3E	Mailing List Vendor Advisory
https://github.com/apache/trafficserver/pull/3251	Patch Third Party Advisory
https://github.com/apache/trafficserver/pull/3231	Patch Third Party Advisory
https://github.com/apache/trafficserver/pull/3201	Patch Third Party Advisory
https://github.com/apache/trafficserver/pull/3192	Patch Third Party Advisory
http://www.securityfocus.com/bid/105192	Third Party Advisory VDB Entry
https://www.debian.org/security/2018/dsa-4282	Third Party Advisory

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:traffic_server::::::::
	cpe:2.3:a:apache:traffic_server::::::::

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Information

Published : 2018-08-29 06:29

Updated : 2018-11-08 06:13

NVD link : CVE-2018-8004

Mitre link : CVE-2018-8004

JSON object : View

CWE

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Advertisement

Products Affected

debian

debian_linux

apache

traffic_server

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://lists.apache.org/thread.html/7df882eb09029a4460768a61f88a30c9c30c9dc88e9bcc6e19ba24d5@%3Cusers.trafficserver.apache.org%3E", "name": "[trafficserver-users] 20180828 [ANNOUNCE] Apache Traffic Server vulnerability with multiple HTTP smuggling and cache poisoning attacks - CVE-2018-8004", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://github.com/apache/trafficserver/pull/3251", "name": "https://github.com/apache/trafficserver/pull/3251", "tags": ["Patch", "Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "https://github.com/apache/trafficserver/pull/3231", "name": "https://github.com/apache/trafficserver/pull/3231", "tags": ["Patch", "Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "https://github.com/apache/trafficserver/pull/3201", "name": "https://github.com/apache/trafficserver/pull/3201", "tags": ["Patch", "Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "https://github.com/apache/trafficserver/pull/3192", "name": "https://github.com/apache/trafficserver/pull/3192", "tags": ["Patch", "Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "http://www.securityfocus.com/bid/105192", "name": "105192", "tags": ["Third Party Advisory", "VDB Entry"], "refsource": "BID"}, {"url": "https://www.debian.org/security/2018/dsa-4282", "name": "DSA-4282", "tags": ["Third Party Advisory"], "refsource": "DEBIAN"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "There are multiple HTTP smuggling and cache poisoning issues when clients making malicious requests interact with Apache Traffic Server (ATS). This affects versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-444"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2018-8004", "ASSIGNER": "security@apache.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "severity": "MEDIUM", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}}, "publishedDate": "2018-08-29T13:29Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "6.2.2", "versionStartIncluding": "6.0.0"}, {"cpe23Uri": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "7.1.3", "versionStartIncluding": "7.0.0"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2018-11-08T14:13Z"}