Ben Kallus

**Name of the Vulnerable Software and Affected Versions** Apache Traffic Server versions 8.0.0 through 8.1.11 Apache Traffic Server versions 9.0.0 through 9.2.8 Apache Traffic Server versions 10.0.0 through 10.0.3 **Description** The issue is related to Improper Input Validation. Users are advised to upgrade to resolve the issue. **Recommendations** Upgrade to version 9.2.9 or 10.0.4 to fix the issue.

Name of the Vulnerable Software and Affected Versions: Payara Server versions 4.1.151 through 4.1.2.191.51 Payara Server versions 5.20.0 through 5.70.0 Payara Server versions 5.2020.2 through 5.2022.5 Payara Server versions 6.2022.1 through 6.2024.12 Payara Server versions 6.0.0 through 6.21.0 Payara Micro versions 4.1.152 through 4.1.2.191.51 Payara Micro versions 5.20.0 through 5.70.0 Payara Micro versions 5.2020.2 through 5.2022.5 Payara Micro versions 6.2022.1 through 6.2024.12 Payara Micro versions 6.0.0 through 6.21.0 Description: The issue affects the Payara Platform, specifically Payara Server and Payara Micro, allowing for Manipulating State and Identity Spoofing due to an Improper Neutralization of CRLF Sequences in HTTP Headers, also known as 'HTTP Request/Response Splitting'. Recommendations: For Payara Server versions 4.1.151 through 4.1.2.191.51, update to a version outside of this range to resolve the issue. For Payara Server versions 5.20.0 through 5.70.0, update to a version outside of this range to resolve the issue. For Payara Server versions 5.2020.2 through 5.2022.5, update to a version outside of this range to resolve the issue. For Payara Server versions 6.2022.1 through 6.2024.12, update to a version outside of this range to resolve the issue. For Payara Server versions 6.0.0 through 6.21.0, update to a version outside of this range to resolve the issue. For Payara Micro versions 4.1.152 through 4.1.2.191.51, update to a version outside of this range to resolve the issue. For Payara Micro versions 5.20.0 through 5.70.0, update to a version outside of this range to resolve the issue. For Payara Micro versions 5.2020.2 through 5.2022.5, update to a version outside of this range to resolve the issue. For Payara Micro versions 6.2022.1 through 6.2024.12, update to a version outside of this range to resolve the issue. For Payara Micro versions 6.0.0 through 6.21.0, update to a version outside of this range to resolve the issue. As a temporary workaround, consider disabling the `Grizzly` and `REST Management Interface` modules until a patch is available. Restrict access to the vulnerable `Grizzly` modules to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Apache Traffic Server versions 8.0.0 through 8.1.10 Apache Traffic Server versions 9.0.0 through 9.2.4 Description: The issue exists due to insufficient input validation, allowing an attacker to exploit the vulnerability and potentially conduct HTTP request smuggling attacks, which may also lead to cache poisoning if the origin servers are vulnerable. Recommendations: For Apache Traffic Server versions 8.0.0 through 8.1.10, upgrade to version 8.1.11. For Apache Traffic Server versions 9.0.0 through 9.2.4, upgrade to version 9.2.5.

**Name of the Vulnerable Software and Affected Versions** HAProxy versions prior to 2.8.2 **Description** The issue is related to HAProxy accepting # as part of the URI component. This could allow remote attackers to obtain sensitive information or have other unspecified impacts due to the misinterpretation of a path end rule. For example, it might route index.html#.png to a static server. **Recommendations** For versions prior to 2.8.2, update to version 2.8.2 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive information that could be exposed through the misinterpretation of URI components.

**Name of the Vulnerable Software and Affected Versions** Mongoose versions prior to 7.10 **Description** The issue arises from the HTTP server in Mongoose accepting requests with negative Content-Length headers. This can be exploited by an attacker sending a single malicious payload over TCP, causing the server to enter an infinite loop where it continuously reparses the payload and fails to respond to other requests. **Recommendations** For versions prior to 7.10, update to version 7.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the HTTP server to minimize the risk of exploitation.