oss-sec mailing list archives
[CVE-2018-11783] Apache Traffic Server vulnerability with sslheader plugin
From: Bryan Call <bcall () apache org>
Date: Tue, 12 Feb 2019 15:42:35 -0800
CVE-2018-11783: Apache Traffic Server vulnerability with sslheader plugin Reported By: Nikhil Marathe Vendor: The Apache Software Foundation Version Affected: ATS 6.0.0 to 6.2.3 ATS 7.0.0 to 7.1.5 ATS 8.0.0 to 8.0.1 Description: sslheaders plugin extracts information from the client certificate and sets headers in the request based on the configuration of the plugin. The plugin doesn't strip the headers from the request in some scenarios. Mitigation: 6.x users should upgrade to 7.1.6, 8.0.2, or later versions 7.x users should upgrade to 7.1.6 or later versions 8.x users should upgrade to 8.0.2 or later versions References: Downloads: https://trafficserver.apache.org/downloads <https://trafficserver.apache.org/downloads> Github Pull Request: https://github.com/apache/trafficserver/pull/4701 <https://github.com/apache/trafficserver/pull/4701> CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11783 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11783> -Bryan
Current thread:
- [CVE-2018-11783] Apache Traffic Server vulnerability with sslheader plugin Bryan Call (Feb 13)