PT-2020-3646 · Apache · Apache Traffic Server
Zeddyu Lu
·
Published
2020-03-23
·
Updated
2022-10-06
·
CVE-2020-1944
CVSS v2.0
10
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Apache Traffic Server versions 6.0.0 through 6.2.3
Apache Traffic Server versions 7.0.0 through 7.1.8
Apache Traffic Server versions 8.0.0 through 8.0.5
Description
The issue is related to inconsistent interpretation of HTTP requests, specifically with Transfer-Encoding and Content length headers in the context of a reverse proxy and proxy redirection. This can be exploited by a remote attacker to gain access to confidential data, compromise data integrity, and cause a denial of service. The vulnerability involves a smuggling attack.
Recommendations
For Apache Traffic Server versions 6.0.0 through 6.2.3, upgrade to version 7.1.9 or later.
For Apache Traffic Server versions 7.0.0 through 7.1.8, upgrade to version 7.1.9 or later.
For Apache Traffic Server versions 8.0.0 through 8.0.5, upgrade to version 8.0.6 or later.
Fix
HTTP Request/Response Smuggling
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Traffic Server