PT-2020-5796 · Apache · Apache Traffic Server
Bryan Call
·
Published
2020-08-12
·
Updated
2021-01-15
·
CVE-2020-17509
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions:
Apache Traffic Server versions 6.0.0 through 6.2.3
Apache Traffic Server versions 7.0.0 through 7.1.11
Apache Traffic Server versions 8.0.0 through 8.1.0
Description:
The issue is related to the ATS negative cache option, which is vulnerable to a cache poisoning attack. This vulnerability can be exploited by a remote attacker to impact data integrity. The attack is associated with a flaw in the interpretation of HTTP requests.
Recommendations:
For Apache Traffic Server versions 6.0.0 through 6.2.3, upgrade or disable the ATS negative cache option to mitigate the risk.
For Apache Traffic Server versions 7.0.0 through 7.1.11, upgrade or disable the ATS negative cache option to mitigate the risk.
For Apache Traffic Server versions 8.0.0 through 8.1.0, upgrade or disable the ATS negative cache option to mitigate the risk.
Fix
HTTP Request/Response Smuggling
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Traffic Server