PT-2023-26958 · Apache · Apache Traffic Server

Akshat Parikh

Published

2023-10-17

Updated

2025-06-20

CVE-2023-39456

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Apache Traffic Server versions 9.0.0 through 9.2.2

Description The issue is related to an Improper Input Validation vulnerability in Apache Traffic Server, specifically with malformed HTTP/2 frames. Users are recommended to upgrade to a fixed version.

Recommendations For Apache Traffic Server versions 9.0.0 through 9.2.2, upgrade to version 9.2.3, which fixes the issue.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2023-39456

DSA-5549-1

OESA-2025-1659

Affected Products

Apache Traffic Server

PT-2023-26958 · Apache · Apache Traffic Server

CVE-2023-39456

Weakness Enumeration

Related Identifiers

Affected Products

References · 60