CVE-2024-35161

HIGH

Apache Traffic Server < 8.1.11 - HTTP Request Smuggling

Title source: rule

Description

Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users can set a new setting (proxy.config.http.drop_chunked_trailers) not to forward chunked trailer section. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.

References (2)

[Mailing List] https://lists.debian.org/debian-lts-announce/2024/09/msg00040.html

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0

Scores

CVSS v3 7.5

EPSS 0.0034

EPSS Percentile 56.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-444

Status published

Products (1)

apache/traffic_server 8.0.0 - 8.1.11

Published Jul 26, 2024

Tracked Since Feb 18, 2026