Search for vulnerabilities
Vulnerability details: VCID-zxzg-398f-aaaj
Vulnerability ID VCID-zxzg-398f-aaaj
Aliases CVE-2023-38522
Summary Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.
Status Published
Exploitability 0.5
Weighted Severity 6.8
Risk 3.4
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-20 Improper Input Validation
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CWE-86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-38522.json
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.00178 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.00257 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.00257 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.00257 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.00257 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01111 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01111 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01111 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01111 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01111 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01111 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01235 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01235 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01235 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01235 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01235 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01235 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01235 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01235 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01235 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01235 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01235 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01235 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01235 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01235 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01235 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01235 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01235 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01235 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01572 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01572 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01653 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01653 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01653 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01653 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01653 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01653 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01653 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01653 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01653 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01705 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01705 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01705 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01705 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01705 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01705 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01705 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01705 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01705 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01741 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01741 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01741 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01741 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01741 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01741 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01741 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01741 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01741 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01741 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01741 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01741 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01741 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01741 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01741 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01741 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01741 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01741 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01741 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01741 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.01741 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.02265 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.02265 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.02265 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.02265 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
epss 0.04228 https://api.first.org/data/v1/epss?cve=CVE-2023-38522
cvssv3 7.5 https://nvd.nist.gov/vuln/detail/CVE-2023-38522
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2023-38522
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-38522.json
https://api.first.org/data/v1/epss?cve=CVE-2023-38522
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38522
https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0
1077141 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1077141
2300034 https://bugzilla.redhat.com/show_bug.cgi?id=2300034
cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*
CVE-2023-38522 https://nvd.nist.gov/vuln/detail/CVE-2023-38522
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-38522.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-38522
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-38522
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.55766
EPSS Score 0.00178
Published At Nov. 1, 2024, midnight
Date Actor Action Source VulnerableCode Version
2024-07-25T22:50:39.349913+00:00 Debian Importer Import https://security-tracker.debian.org/tracker/data/json 34.0.0rc4