Chris Lemmons

**Name of the Vulnerable Software and Affected Versions** Apache Traffic Control (affected versions not specified) **Description** A flaw exists in Apache Traffic Control’s Traffic Router component where a malicious pattern provided through the management interface can lead to unavailability. Individuals with access to the management interface are able to specify these patterns. This project is no longer supported, and a fix will not be released. **Recommendations** Restrict access to the instance to trusted users. Find an alternative to Apache Traffic Control.

**Name of the Vulnerable Software and Affected Versions** Apache Traffic Server versions 8.0.0 through 9.2.0 **Description** The issue is related to improper input validation in Apache Traffic Server. The configuration option `proxy.config.http.push method enabled` did not function as expected. However, by default, the PUSH method is blocked in the `ip allow` configuration file. This could potentially allow a remote attacker to cause a denial of service. **Recommendations** 8.x users should upgrade to 8.1.7 or later versions 9.x users should upgrade to 9.2.1 or later versions

**Name of the Vulnerable Software and Affected Versions** Apache Traffic Server versions 8.0.0 through 9.0.2 **Description** The issue is related to improper input validation in handling the Transfer-Encoding header, allowing an attacker to poison the cache. **Recommendations** For Apache Traffic Server versions 8.0.0 through 9.0.2, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.