Search for packages
| purl | pkg:deb/debian/trafficserver@9.2.5%2Bds-1?distro=sid |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-4738-xk8n-hbac
Aliases: CVE-2024-38311 |
Improper Input Validation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3. Users are recommended to upgrade to version 9.2.9 or 10.0.4, which fixes the issue. | There are no reported fixed by versions. |
|
VCID-4hs3-be7k-9qe7
Aliases: CVE-2025-65114 |
Apache Traffic Server allows request smuggling if chunked messages are malformed. This issue affects Apache Traffic Server: from 9.0.0 through 9.2.12, from 10.0.0 through 10.1.1. Users are recommended to upgrade to version 9.2.13 or 10.1.2, which fix the issue. | There are no reported fixed by versions. |
|
VCID-4uhe-mtbx-nfdu
Aliases: CVE-2024-56195 |
Improper Access Control vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.8, from 10.0.0 through 10.0.3. Users are recommended to upgrade to version 9.2.9 or 10.0.4, which fixes the issue. | There are no reported fixed by versions. |
|
VCID-5e1r-3jec-tkhp
Aliases: CVE-2025-49763 |
trafficserver: Traffic Server ESI Inclusion Depth Vulnerability | There are no reported fixed by versions. |
|
VCID-c62p-6ghw-j3dv
Aliases: CVE-2024-50305 |
Valid Host header field can cause Apache Traffic Server to crash on some platforms. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.5. Users are recommended to upgrade to version 9.2.6, which fixes the issue, or 10.0.2, which does not have the issue. | There are no reported fixed by versions. |
|
VCID-eay7-63um-43e9
Aliases: CVE-2024-53868 |
Apache Traffic Server allows request smuggling if chunked messages are malformed. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.9, from 10.0.0 through 10.0.4. Users are recommended to upgrade to version 9.2.10 or 10.0.5, which fixes the issue. | There are no reported fixed by versions. |
|
VCID-jabw-thzt-63bb
Aliases: CVE-2024-50306 |
Unchecked return value can allow Apache Traffic Server to retain privileges on startup. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.5, from 10.0.0 through 10.0.1. Users are recommended to upgrade to version 9.2.6 or 10.0.2, which fixes the issue. | There are no reported fixed by versions. |
|
VCID-kjah-am9e-xkev
Aliases: CVE-2024-56202 |
Expected Behavior Violation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3. Users are recommended to upgrade to versions 9.2.9 or 10.0.4 or newer, which fixes the issue. | There are no reported fixed by versions. |
|
VCID-rcdg-j23x-xfbn
Aliases: CVE-2024-38479 |
Improper Input Validation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from 9.0.0 through 9.2.5. Users are recommended to upgrade to version 9.2.6, which fixes the issue, or 10.0.2, which does not have the issue. | There are no reported fixed by versions. |
|
VCID-tevw-8dcp-yfh6
Aliases: CVE-2025-31698 |
trafficserver: Apache Traffic Server PROXY Protocol ACL Bypass | There are no reported fixed by versions. |
|
VCID-ww3t-p3pq-gkhy
Aliases: CVE-2025-58136 |
A bug in POST request handling causes a crash under a certain condition. This issue affects Apache Traffic Server: from 10.0.0 through 10.1.1, from 9.0.0 through 9.2.12. Users are recommended to upgrade to version 10.1.2 or 9.2.13, which fix the issue. A workaround for older versions is to set proxy.config.http.request_buffer_enabled to 0 (the default value is 0). | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-376v-6shk-8ycq | Apache Traffic Server before 2.0.1, and 2.1.x before 2.1.2-unstable, does not properly choose DNS source ports and transaction IDs, and does not properly use DNS query fields to validate responses, which makes it easier for man-in-the-middle attackers to poison the internal DNS cache via a crafted response. |
CVE-2010-2952
|
| VCID-41x7-hv4u-byb9 | security update |
CVE-2022-32749
|
| VCID-4js5-31yx-gkf1 | Unspecified vulnerability in the HTTP/2 experimental feature in Apache Traffic Server before 5.3.x before 5.3.2 has unknown impact and attack vectors, a different vulnerability than CVE-2015-5168. |
CVE-2015-5206
|
| VCID-4men-293s-3bhn | security update |
CVE-2023-33934
|
| VCID-4wwn-74ac-p7dp | security update |
CVE-2021-37150
|
| VCID-568b-s8ks-vfa6 | security update |
CVE-2019-17565
|
| VCID-5781-s1ny-q7ey |
CVE-2023-44487
GHSA-2m7v-gc89-fjqf GHSA-qppj-fm5r-hxr3 GHSA-vx74-f528-fxqg GHSA-xpw8-rcwv-8f8p GMS-2023-3377 VSV00013 |
|
| VCID-61q8-wyrp-rycg | Improper Input Validation vulnerability in accepting socket connections in Apache Traffic Server allows an attacker to make the server stop accepting new connections. This issue affects Apache Traffic Server 5.0.0 to 9.1.0. |
CVE-2021-41585
|
| VCID-6bwv-cd3d-mudb | security update |
CVE-2019-17559
|
| VCID-73aa-rk27-tye1 | security update |
CVE-2022-37392
|
| VCID-7nhc-5p2x-t3cj | security update |
CVE-2022-25763
|
| VCID-8aev-nmwa-fkcg | A carefully crafted invalid TLS handshake can cause Apache Traffic Server (ATS) to segfault. This affects version 6.2.2. To resolve this issue users running 6.2.2 should upgrade to 6.2.3 or later versions. |
CVE-2018-8022
|
| VCID-8ta5-mh5e-cfft | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in the stats-over-http plugin of Apache Traffic Server allows an attacker to overwrite memory. This issue affects Apache Traffic Server 9.1.0. |
CVE-2021-43082
|
| VCID-931v-ukcc-6qaa | security update |
CVE-2021-44040
|
| VCID-9pd6-v7d1-9qem | The HTTP/2 experimental feature in Apache Traffic Server 5.3.x before 5.3.1 allows remote attackers to cause a denial of service (out-of-bounds access and daemon crash) or possibly execute arbitrary code via vectors related to the (1) frame_handlers array or (2) set_dynamic_table_size function. |
CVE-2015-3249
|
| VCID-9rs4-uvph-3yh7 | Apache Traffic Server 5.1.x before 5.1.1 allows remote attackers to bypass access restrictions by leveraging failure to properly tunnel remap requests using CONNECT. |
CVE-2014-3624
|
| VCID-aqt5-2ffy-9bgs | HTTP/2: flood using SETTINGS frames results in unbounded memory growth |
CVE-2019-9515
|
| VCID-au6q-ek7r-8bgr | sslheaders plugin extracts information from the client certificate and sets headers in the request based on the configuration of the plugin. The plugin doesn't strip the headers from the request in some scenarios. This problem was discovered in versions 6.0.0 to 6.0.3, 7.0.0 to 7.1.5, and 8.0.0 to 8.0.1. |
CVE-2018-11783
|
| VCID-b7zx-ywwc-57d9 | security update |
CVE-2022-31778
|
| VCID-bb5y-kjej-bbfm | security update |
CVE-2022-28129
|
| VCID-bdgg-edbf-xfav | security update |
CVE-2022-47184
|
| VCID-btm9-vxvc-3qhv | security update |
CVE-2019-10079
|
| VCID-by94-r8f3-z3fs | Apache Traffic Server 9.0.0 is vulnerable to a remote DOS attack on the experimental Slicer plugin. |
CVE-2021-27737
|
| VCID-c5hc-3jtx-k3a6 | HTTP/2: flood using empty frames results in excessive resource consumption |
CVE-2019-9518
|
| VCID-c675-5njd-63hk | security update |
CVE-2021-27577
|
| VCID-cbe5-hhz8-bqbn | security update |
CVE-2021-44759
|
| VCID-cscf-sb71-jybq | security update |
CVE-2021-32566
|
| VCID-esap-nkps-cfg9 | Invalid Accept-Encoding header can cause Apache Traffic Server to fail cache lookup and force forwarding requests. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue. |
CVE-2024-35296
|
| VCID-fmwc-nmhh-ryaf | security update |
CVE-2020-9481
|
| VCID-fq5y-b9yq-nbee | security update |
CVE-2021-37148
|
| VCID-fvbh-59fu-cfb6 | Improper Input Validation vulnerability for the xdebug plugin in Apache Software Foundation Apache Traffic Server can lead to cross site scripting and cache poisoning attacks.This issue affects Apache Traffic Server: 9.0.0 to 9.1.3. Users should upgrade to 9.1.4 or later versions. |
CVE-2022-40743
|
| VCID-gqeq-hqf6-abh9 | Improper Access Control vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 10.0.0 through 10.0.3. Users are recommended to upgrade to version 10.0.4, which fixes the issue. |
CVE-2024-56196
|
| VCID-has1-mf68-q3am | Improper Input Validation vulnerability in Apache Traffic Server with malformed HTTP/2 frames.This issue affects Apache Traffic Server: from 9.0.0 through 9.2.2. Users are recommended to upgrade to version 9.2.3, which fixes the issue. |
CVE-2023-39456
|
| VCID-hbte-dsw2-y7ad | golang.org/x/net/http vulnerable to ping floods Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. ### Specific Go Packages Affected golang.org/x/net/http2 |
CVE-2019-9512
GHSA-hgr8-6h9x-f7q9 |
| VCID-j6r7-ypa1-zybv | security update |
CVE-2020-17509
|
| VCID-jb1b-9gr2-suez | Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users can set a new setting (proxy.config.http.drop_chunked_trailers) not to forward chunked trailer section. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue. |
CVE-2024-35161
|
| VCID-jdjf-3w9k-xbaw | security update |
CVE-2023-41752
|
| VCID-k2ks-3t6e-uqgu | security update |
CVE-2020-1944
|
| VCID-khz4-1uav-cqgg | Unspecified vulnerability in the HTTP/2 experimental feature in Apache Traffic Server 5.3.x before 5.3.2 has unknown impact and attack vectors, a different vulnerability than CVE-2015-5206. |
CVE-2015-5168
|
| VCID-m8p8-5n65-qyhy | Apache Traffic Server 6.0.0 to 6.2.0 are affected by an HPACK Bomb Attack. |
CVE-2016-5396
|
| VCID-msu4-5h99-2yaq | security update |
CVE-2017-5660
|
| VCID-n66u-b73u-zucb | golang.org/x/net/http vulnerable to a reset flood Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. Servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both. ### Specific Go Packages Affected golang.org/x/net/http2 |
CVE-2019-9514
GHSA-39qc-96h7-956f |
| VCID-nbwy-fdv2-uydt | security update |
CVE-2017-7671
|
| VCID-p5f7-uu6r-8bez | security update |
CVE-2022-31780
|
| VCID-pxaf-6qxa-77h9 | security update |
CVE-2020-17508
|
| VCID-qwmj-ez4q-7qex | security update |
CVE-2018-1318
|
| VCID-r86j-zujn-f7ez | security update |
CVE-2018-8005
|
| VCID-rvs1-czut-e3bg | Apache Traffic Server 2.0.x and 3.0.x before 3.0.4 and 3.1.x before 3.1.3 does not properly allocate heap memory, which allows remote attackers to cause a denial of service (daemon crash) via a long HTTP Host header. |
CVE-2012-0256
|
| VCID-rw58-bnwt-2bam | Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue. |
CVE-2023-38522
|
| VCID-scpg-5hcj-5yd3 | Apache Traffic Server before 6.2.1 generates a coredump when there is a mismatch between content length and chunked encoding. |
CVE-2017-5659
|
| VCID-skrs-cynm-r7du | security update |
CVE-2023-33933
|
| VCID-t559-a5u6-4ke1 | security update |
CVE-2021-37147
|
| VCID-u4tn-85je-n7gt | Apache Traffic Server before 5.1.2 allows remote attackers to cause a denial of service via unspecified vectors, related to internal buffer sizing. |
CVE-2014-10022
|
| VCID-u5qg-vszr-9ye2 | security update |
CVE-2022-47185
|
| VCID-ue7s-pn8b-vydz | security update |
CVE-2018-8004
|
| VCID-uhqf-tsxe-ayc2 | security update |
CVE-2021-37149
|
| VCID-uhxq-9bzs-u3fd | security update |
CVE-2021-35474
|
| VCID-uvhz-uspt-7ygz | Unspecified vulnerability in Apache Traffic Server 3.x through 3.2.5, 4.x before 4.2.1.1, and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks. |
CVE-2014-3525
|
| VCID-uy1m-av2n-jybt | security update |
CVE-2023-30631
|
| VCID-va7d-ktp2-m7et | security update |
CVE-2018-8040
|
| VCID-w42s-4aps-y3c5 | security update |
CVE-2021-38161
|
| VCID-waer-as81-8fed | trafficserver: CONTINUATION frames DoS |
CVE-2024-31309
|
| VCID-xh97-4sn5-vyfw | security update |
CVE-2021-32567
|
| VCID-xwdc-hndy-yubc | security update |
CVE-2020-9494
|
| VCID-xwru-y5m9-gucd | security update |
CVE-2022-31779
|
| VCID-zmh1-wmct-uyf7 | security update |
CVE-2021-32565
|