Multiple vulnerabilities in Apache Traffic Server
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2019-17565 CVE-2019-17559 CVE-2020-1944 |
| CWE-ID | CWE-444 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Apache Traffic Server Server applications / Web servers |
| Vendor | Apache Foundation |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Inconsistent interpretation of HTTP requests
EUVDB-ID: #VU26349
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-17565
CWE-ID:
CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform HTTP request smuggling attack.
The vulnerability exists due to improper input validation in HTTP headers and chunked encoding. A remote attacker can send a specially crafted HTTP request and perform HTTP request smuggling attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsApache Traffic Server: 6.0.0 - 8.0.5
CPE2.3- cpe:2.3:a:apache_foundation:apache_ats:6.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_ats:6.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_ats:6.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_ats:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_ats:7.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_ats:8.0.5:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Inconsistent interpretation of HTTP requests
EUVDB-ID: #VU26348
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-17559
CWE-ID:
CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform HTTP request smuggling attack.
The vulnerability exists due to improper input validation in HTTP headers and scheme parsing. A remote attacker can send a specially crafted HTTP request and perform HTTP request smuggling attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsApache Traffic Server: 6.0.0 - 8.0.5
CPE2.3- cpe:2.3:a:apache_foundation:apache_ats:6.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_ats:6.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_ats:6.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_ats:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_ats:7.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_ats:8.0.5:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Inconsistent interpretation of HTTP requests
EUVDB-ID: #VU26347
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-1944
CWE-ID:
CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform HTTP request smuggling attack.
The vulnerability exists due to improper input validation in HTTP headers and a Content-Length header. A remote attacker can send a specially crafted HTTP request and perform HTTP request smuggling attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsApache Traffic Server: 6.0.0 - 8.0.5
CPE2.3- cpe:2.3:a:apache_foundation:apache_ats:6.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_ats:6.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_ats:6.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_ats:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_ats:7.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_ats:8.0.5:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
