Search for packages
| purl | pkg:deb/debian/trafficserver@6.2.0-1~bpo8%2B1 |
| Next non-vulnerable version | 9.2.5+ds-0+deb12u2 |
| Latest non-vulnerable version | 9.2.5+ds-0+deb12u2 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1384-m5b5-kfgm
Aliases: CVE-2019-9518 |
Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU. |
Affected by 44 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-15ju-jpw8-zkcu
Aliases: CVE-2017-5660 |
security update |
Affected by 44 other vulnerabilities. |
|
VCID-1623-q9mw-qkc2
Aliases: CVE-2023-30631 |
Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server. The configuration option proxy.config.http.push_method_enabled didn't function. However, by default the PUSH method is blocked in the ip_allow configuration file.This issue affects Apache Traffic Server: from 8.0.0 through 9.2.0. 8.x users should upgrade to 8.1.7 or later versions 9.x users should upgrade to 9.2.1 or later versions |
Affected by 12 other vulnerabilities. |
|
VCID-1mub-9jpj-nuej
Aliases: CVE-2022-25763 |
Improper Input Validation vulnerability in HTTP/2 request validation of Apache Traffic Server allows an attacker to create smuggle or cache poison attacks. This issue affects Apache Traffic Server 8.0.0 to 9.1.2. |
Affected by 12 other vulnerabilities. |
|
VCID-1u9n-4qyv-cudw
Aliases: CVE-2023-41752 |
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Traffic Server.This issue affects Apache Traffic Server: from 8.0.0 through 8.1.8, from 9.0.0 through 9.2.2. Users are recommended to upgrade to version 8.1.9 or 9.2.3, which fixes the issue. |
Affected by 12 other vulnerabilities. |
|
VCID-1x8w-cfex-6fdb
Aliases: CVE-2020-17509 |
ATS negative cache option is vulnerable to a cache poisoning attack. If you have this option enabled, please upgrade or disable this feature. Apache Traffic Server versions 7.0.0 to 7.1.11 and 8.0.0 to 8.1.0 are affected. |
Affected by 44 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-4cuz-ksaf-z7ag
Aliases: CVE-2022-47185 |
Improper input validation vulnerability on the range header in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: through 9.2.1. |
Affected by 12 other vulnerabilities. |
|
VCID-4z9y-htvf-8bh1
Aliases: CVE-2016-5396 |
Affected by 51 other vulnerabilities. |
|
|
VCID-529e-qjy8-1kf9
Aliases: CVE-2018-8022 |
A carefully crafted invalid TLS handshake can cause Apache Traffic Server (ATS) to segfault. This affects version 6.2.2. To resolve this issue users running 6.2.2 should upgrade to 6.2.3 or later versions. |
Affected by 51 other vulnerabilities. |
|
VCID-5574-wvcw-zqbg
Aliases: CVE-2021-37150 |
Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to request secure resources. This issue affects Apache Traffic Server 8.0.0 to 9.1.2. |
Affected by 12 other vulnerabilities. |
|
VCID-55zz-76x5-1bfe
Aliases: CVE-2023-33934 |
Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: through 9.2.1. |
Affected by 12 other vulnerabilities. |
|
VCID-5f8u-pckr-5ugu
Aliases: CVE-2021-35474 |
Stack-based Buffer Overflow vulnerability in cachekey plugin of Apache Traffic Server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1. |
Affected by 44 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-5pgq-hc51-5ff7
Aliases: CVE-2021-32565 |
Invalid values in the Content-Length header sent to Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1. |
Affected by 44 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-5x4y-yahm-hqaw
Aliases: CVE-2023-38522 |
Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue. |
Affected by 0 other vulnerabilities. |
|
VCID-6mqf-nqvk-yyhn
Aliases: CVE-2024-35161 |
Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users can set a new setting (proxy.config.http.drop_chunked_trailers) not to forward chunked trailer section. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue. |
Affected by 0 other vulnerabilities. |
|
VCID-6shr-eztc-63az
Aliases: CVE-2022-31778 |
Improper Input Validation vulnerability in handling the Transfer-Encoding header of Apache Traffic Server allows an attacker to poison the cache. This issue affects Apache Traffic Server 8.0.0 to 9.0.2. |
Affected by 12 other vulnerabilities. |
|
VCID-87rc-69g5-ebh1
Aliases: CVE-2020-1944 |
security update |
Affected by 44 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-8dtu-bnhz-t3bx
Aliases: CVE-2020-9494 |
Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to 8.0.7 is vulnerable to certain types of HTTP/2 HEADERS frames that can cause the server to allocate a large amount of memory and spin the thread. |
Affected by 44 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-9txj-n8gv-gbey
Aliases: CVE-2017-5659 |
Affected by 51 other vulnerabilities. |
|
|
VCID-aat6-pqk2-33hq
Aliases: CVE-2018-8040 |
security update |
Affected by 44 other vulnerabilities. |
|
VCID-ach4-44jw-q7cm
Aliases: CVE-2018-8005 |
security update |
Affected by 44 other vulnerabilities. |
|
VCID-amxh-2y3v-xqbf
Aliases: CVE-2021-44759 |
Improper Authentication vulnerability in TLS origin validation of Apache Traffic Server allows an attacker to create a man in the middle attack. This issue affects Apache Traffic Server 8.0.0 to 8.1.0. |
Affected by 44 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-bcpe-g3wj-bqhr
Aliases: CVE-2019-9515 |
Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. |
Affected by 44 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-bk2k-t8d5-b3dh
Aliases: CVE-2019-17565 |
There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling attack and chunked encoding. Upgrade to versions 7.1.9 and 8.0.6 or later versions. |
Affected by 44 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-bk58-3p66-4yag
Aliases: CVE-2019-17559 |
There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling attack and scheme parsing. Upgrade to versions 7.1.9 and 8.0.6 or later versions. |
Affected by 44 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-bqyr-6khj-zbf9
Aliases: CVE-2022-47184 |
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: 8.0.0 to 9.2.0. |
Affected by 12 other vulnerabilities. |
|
VCID-brww-7prv-rydz
Aliases: CVE-2022-32749 |
Improper Check for Unusual or Exceptional Conditions vulnerability handling requests in Apache Traffic Server allows an attacker to crash the server under certain conditions. This issue affects Apache Traffic Server: from 8.0.0 through 9.1.3. |
Affected by 12 other vulnerabilities. |
|
VCID-c5he-2rr6-3ya6
Aliases: CVE-2022-37392 |
Improper Check for Unusual or Exceptional Conditions vulnerability in handling the requests to Apache Traffic Server. This issue affects Apache Traffic Server 8.0.0 to 9.1.2. |
Affected by 12 other vulnerabilities. |
|
VCID-d9cm-e21m-byee
Aliases: CVE-2018-8004 |
security update |
Affected by 44 other vulnerabilities. |
|
VCID-ew5n-vyu2-ukc4
Aliases: CVE-2021-44040 |
Improper Input Validation vulnerability in request line parsing of Apache Traffic Server allows an attacker to send invalid requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.3 and 9.0.0 to 9.1.1. |
Affected by 44 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-eyq1-cdd9-33c6
Aliases: CVE-2021-32567 |
Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1. |
Affected by 44 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-fmrm-ykf1-6udp
Aliases: CVE-2018-1318 |
security update |
Affected by 44 other vulnerabilities. |
|
VCID-g1xx-wvz8-ukg4
Aliases: CVE-2021-38161 |
Improper Authentication vulnerability in TLS origin verification of Apache Traffic Server allows for man in the middle attacks. This issue affects Apache Traffic Server 8.0.0 to 8.0.8. |
Affected by 44 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-g4bx-u7nw-subv
Aliases: CVE-2023-33933 |
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: from 8.0.0 through 9.2.0. 8.x users should upgrade to 8.1.7 or later versions 9.x users should upgrade to 9.2.1 or later versions |
Affected by 12 other vulnerabilities. |
|
VCID-gffq-t1mg-b7fw
Aliases: CVE-2020-9481 |
security update |
Affected by 44 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-gfpv-cw2e-nbd7
Aliases: CVE-2021-27577 |
Incorrect handling of url fragment vulnerability of Apache Traffic Server allows an attacker to poison the cache. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1. |
Affected by 44 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-gfwa-frtw-xbcv
Aliases: CVE-2021-37147 |
Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.1.0. |
Affected by 44 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-gt9k-nahq-aya5
Aliases: CVE-2022-31779 |
Improper Input Validation vulnerability in HTTP/2 header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 9.1.2. |
Affected by 12 other vulnerabilities. |
|
VCID-kck4-vy6z-fuhj
Aliases: CVE-2017-7671 |
security update |
Affected by 44 other vulnerabilities. |
|
VCID-me6s-51mr-tfdn
Aliases: CVE-2022-31780 |
Improper Input Validation vulnerability in HTTP/2 frame handling of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 9.1.2. |
Affected by 12 other vulnerabilities. |
|
VCID-scny-ufj7-3fdz
Aliases: CVE-2021-37148 |
Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.0.1. |
Affected by 44 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-sm56-1ey8-r3b3
Aliases: CVE-2024-35296 |
Invalid Accept-Encoding header can cause Apache Traffic Server to fail cache lookup and force forwarding requests. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue. |
Affected by 0 other vulnerabilities. |
|
VCID-sz9t-h6aa-hbaj
Aliases: CVE-2022-28129 |
Improper Input Validation vulnerability in HTTP/1.1 header parsing of Apache Traffic Server allows an attacker to send invalid headers. This issue affects Apache Traffic Server 8.0.0 to 9.1.2. |
Affected by 12 other vulnerabilities. |
|
VCID-thb6-77ut-xuau
Aliases: CVE-2024-38479 |
Improper Input Validation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from 9.0.0 through 9.2.5. Users are recommended to upgrade to version 9.2.6, which fixes the issue, or 10.0.2, which does not have the issue. |
Affected by 0 other vulnerabilities. |
|
VCID-u8xm-xx38-wudj
Aliases: CVE-2021-37149 |
Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.1.0. |
Affected by 44 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-uwqf-x396-5uas
Aliases: CVE-2018-11783 |
sslheaders plugin extracts information from the client certificate and sets headers in the request based on the configuration of the plugin. The plugin doesn't strip the headers from the request in some scenarios. This problem was discovered in versions 6.0.0 to 6.0.3, 7.0.0 to 7.1.5, and 8.0.0 to 8.0.1. |
Affected by 44 other vulnerabilities. |
|
VCID-w5uu-nj7c-wka6
Aliases: CVE-2023-44487 GHSA-qppj-fm5r-hxr3 VSV00013 |
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
Affected by 12 other vulnerabilities. |
|
VCID-wv7u-zn1z-nufa
Aliases: CVE-2019-9514 GHSA-39qc-96h7-956f |
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both. |
Affected by 44 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-wxpd-r9sw-pqhx
Aliases: CVE-2024-50306 |
Unchecked return value can allow Apache Traffic Server to retain privileges on startup. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.5, from 10.0.0 through 10.0.1. Users are recommended to upgrade to version 9.2.6 or 10.0.2, which fixes the issue. |
Affected by 0 other vulnerabilities. |
|
VCID-xdzj-wa93-yube
Aliases: CVE-2019-10079 |
security update |
Affected by 44 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-xj6f-2a2u-wbge
Aliases: CVE-2020-17508 |
The ATS ESI plugin has a memory disclosure vulnerability. If you are running the plugin please upgrade. Apache Traffic Server versions 7.0.0 to 7.1.11 and 8.0.0 to 8.1.0 are affected. |
Affected by 44 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-xrq2-n48r-v3fv
Aliases: CVE-2021-32566 |
Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1. |
Affected by 44 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-xuk6-2n6t-37e1
Aliases: CVE-2019-9512 GHSA-hgr8-6h9x-f7q9 |
Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. |
Affected by 44 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-z1pr-vv51-gqae
Aliases: CVE-2024-31309 |
HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server. Version from 8.0.0 through 8.1.9, from 9.0.0 through 9.2.3 are affected. Users can set a new setting (proxy.config.http2.max_continuation_frames_per_minute) to limit the number of CONTINUATION frames per minute.  ATS does have a fixed amount of memory a request can use and ATS adheres to these limits in previous releases. Users are recommended to upgrade to versions 8.1.10 or 9.2.4 which fixes the issue. |
Affected by 12 other vulnerabilities. |