CVE-2024-35161

HIGH

Apache Traffic Server < 8.1.11 - HTTP Request Smuggling

Title source: rule

Description

Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users can set a new setting (proxy.config.http.drop_chunked_trailers) not to forward chunked trailer section. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.

References (2)

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0

[Mailing List] https://lists.debian.org/debian-lts-announce/2024/09/msg00040.html

Scores

CVSS v3 7.5

EPSS 0.0021

EPSS Percentile 43.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Classification

CWE

CWE-444

Status published

Affected Products (1)

apache/traffic_server < 8.1.11

Timeline

Published Jul 26, 2024

Tracked Since Feb 18, 2026