Search for vulnerabilities
| Vulnerability ID | VCID-rw58-bnwt-2bam |
| Aliases |
CVE-2023-38522
|
| Summary | Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue. |
| Status | Published |
| Exploitability | 0.5 |
| Weighted Severity | 6.8 |
| Risk | 3.4 |
| Affected and Fixed Packages | Package Details |
| Reference id | Reference type | URL |
|---|---|---|
| https://api.first.org/data/v1/epss?cve=CVE-2023-38522 | ||
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38522 | ||
| 1077141 | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1077141 | |
| c4mcmpblgl8kkmyt56t23543gp8v56m0 | https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0 |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Percentile | 0.58458 |
| EPSS Score | 0.00364 |
| Published At | April 2, 2026, 12:55 p.m. |
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-04-01T16:36:41.415783+00:00 | Debian Oval Importer | Import | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 38.0.0 |