Masaori Koshiba

**Name of the Vulnerable Software and Affected Versions** Apache Traffic Server versions 9.2.0 through 9.2.8 Apache Traffic Server versions 10.0.0 through 10.0.3 **Description** The issue is related to Improper Access Control in Apache Traffic Server. **Recommendations** For versions 9.2.0 through 9.2.8, upgrade to version 9.2.9. For versions 10.0.0 through 10.0.3, upgrade to version 10.0.4.

**Name of the Vulnerable Software and Affected Versions** Apache Traffic Server version 9.1.0 **Description** The issue is related to a buffer copy without checking the size of input, also known as a 'Classic Buffer Overflow', in the stats-over-http plugin of Apache Traffic Server. This allows a remote attacker to overwrite memory, potentially leading to a denial of service. **Recommendations** For Apache Traffic Server version 9.1.0, consider disabling the stats-over-http plugin as a temporary workaround until a patch is available. Restrict access to the vulnerable plugin to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache Traffic Server versions 7.0.0 through 7.1.12 Apache Traffic Server versions 8.0.0 through 8.1.1 Apache Traffic Server versions 9.0.0 through 9.0.1 **Description** The issue is related to improper input validation in the HTTP/2 module of Apache Traffic Server, which can be exploited by an attacker to cause a denial of service (DOS) of the server. **Recommendations** For versions 7.0.0 through 7.1.12, update to a version outside of this range to resolve the issue. For versions 8.0.0 through 8.1.1, update to a version outside of this range to resolve the issue. For versions 9.0.0 through 9.0.1, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to the HTTP/2 module until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Apache Traffic Server versions 7.0.0 through 7.1.12 Apache Traffic Server versions 8.0.0 through 8.1.1 Apache Traffic Server versions 9.0.0 through 9.0.1 **Description** The issue is caused by a stack-based buffer overflow in the cachekey plugin of Apache Traffic Server. This can allow a remote attacker to impact the confidentiality, integrity, and availability of protected information. **Recommendations** For Apache Traffic Server versions 7.0.0 through 7.1.12, update to a version outside of this range to resolve the issue. For Apache Traffic Server versions 8.0.0 through 8.1.1, update to a version outside of this range to resolve the issue. For Apache Traffic Server versions 9.0.0 through 9.0.1, update to a version outside of this range to resolve the issue. As a temporary workaround, consider disabling the cachekey plugin until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Apache ATS versions 6.0.0 through 6.2.3 Apache ATS versions 7.0.0 through 7.1.9 Apache ATS versions 8.0.0 through 8.0.6 **Description** The issue is related to a HTTP/2 slow read attack and a reverse proxy and proxy redirection vulnerability in the Apache Traffic Server, which can lead to uncontrolled resource consumption. Exploitation of this issue may allow a remote attacker to cause a denial of service. **Recommendations** For versions 6.0.0 through 6.2.3, update to a version outside of this range to resolve the issue. For versions 7.0.0 through 7.1.9, update to a version outside of this range to resolve the issue. For versions 8.0.0 through 8.0.6, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to the HTTP/2 protocol until a patch is available.