PT-2023-3286 · Apache · Apache Traffic Server
Chris Lemmons
·
Published
2023-06-13
·
Updated
2024-02-01
·
CVE-2023-30631
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
Apache Traffic Server versions 8.0.0 through 9.2.0
Description
The issue is related to improper input validation in Apache Traffic Server. The configuration option
proxy.config.http.push method enabled did not function as expected. However, by default, the PUSH method is blocked in the ip allow configuration file. This could potentially allow a remote attacker to cause a denial of service.Recommendations
8.x users should upgrade to 8.1.7 or later versions
9.x users should upgrade to 9.2.1 or later versions
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Traffic Server