CVE-2017-5660

HIGH

Apache Traffic Server <= 6.2.0 and <= 7.0.0 - Improper Input Validation via Host Header Line Folding

Title source: llm

Description

There is a vulnerability in Apache Traffic Server (ATS) 6.2.0 and prior and 7.0.0 and prior with the Host header and line folding. This can have issues when interacting with upstream proxies and the wrong host being used.

References (2)

Core 2

Core References

Third Party Advisory vendor-advisory x_refsource_debian

https://www.debian.org/security/2018/dsa-4128

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/22d84783d94c53a5132ec89f002fe5165c87561a9428bcb6713b3c98%40%3Cdev.trafficserver.apache.org%3E

Scores

CVSS v3 8.6

EPSS 0.0258

EPSS Percentile 85.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Details

CWE

CWE-20

Status published

Products (5)

apache/traffic_server 6.2.1 (2 CPE variants)

apache/traffic_server 6.2.2 (2 CPE variants)

apache/traffic_server 7.0.0 (4 CPE variants)

apache/traffic_server < 6.2.0

debian/debian_linux 9.0

Published Feb 27, 2018

Tracked Since Feb 18, 2026