CVE-2023-38522

HIGH

Apache Traffic Server <8.1.10, <9.2.4 - SSRF

Title source: llm

Description

Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.

References (2)

[Mailing List] https://lists.debian.org/debian-lts-announce/2024/09/msg00040.html

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0

Scores

CVSS v3 7.5

EPSS 0.0036

EPSS Percentile 58.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-444

Status published

Products (1)

apache/traffic_server 8.0.0 - 8.1.11

Published Jul 26, 2024

Tracked Since Feb 18, 2026