CVE-2023-38522

HIGH

Apache Traffic Server <8.1.10, <9.2.4 - SSRF

Title source: llm

Description

Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.

References (2)

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0

[Mailing List] https://lists.debian.org/debian-lts-announce/2024/09/msg00040.html

Scores

CVSS v3 7.5

EPSS 0.0029

EPSS Percentile 52.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Classification

CWE

CWE-444

Status published

Affected Products (1)

apache/traffic_server < 8.1.11

Timeline

Published Jul 26, 2024

Tracked Since Feb 18, 2026