CVE-2018-8004 — MEDIUM (6.5)

Q: How severe is CVE-2018-8004?

CVE-2018-8004 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-8004?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Traffic Server, Debian Debian Linux.

Vulnerability Description

There are multiple HTTP smuggling and cache poisoning issues when clients making malicious requests interact with Apache Traffic Server (ATS). This affects versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.

CVSS Score

6.5

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Apache	Traffic Server	>= 6.0.0, <= 6.2.2
Debian	Debian Linux	9.0

Related Weaknesses (CWE)

CWE-444

References

http://www.securityfocus.com/bid/105192Third Party AdvisoryVDB Entry
https://github.com/apache/trafficserver/pull/3192PatchThird Party Advisory
https://github.com/apache/trafficserver/pull/3201PatchThird Party Advisory
https://github.com/apache/trafficserver/pull/3231PatchThird Party Advisory
https://github.com/apache/trafficserver/pull/3251PatchThird Party Advisory
https://lists.apache.org/thread.html/7df882eb09029a4460768a61f88a30c9c30c9dc88e9
https://www.debian.org/security/2018/dsa-4282Third Party Advisory
http://www.securityfocus.com/bid/105192Third Party AdvisoryVDB Entry
https://github.com/apache/trafficserver/pull/3192PatchThird Party Advisory
https://github.com/apache/trafficserver/pull/3201PatchThird Party Advisory
https://github.com/apache/trafficserver/pull/3231PatchThird Party Advisory
https://github.com/apache/trafficserver/pull/3251PatchThird Party Advisory
https://lists.apache.org/thread.html/7df882eb09029a4460768a61f88a30c9c30c9dc88e9
https://www.debian.org/security/2018/dsa-4282Third Party Advisory

FAQ

What is CVE-2018-8004?

CVE-2018-8004 is a vulnerability with a CVSS score of 6.5 (MEDIUM). There are multiple HTTP smuggling and cache poisoning issues when clients making malicious requests interact with Apache Traffic Server (ATS). This affects versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. ...

How severe is CVE-2018-8004?

CVE-2018-8004 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-8004?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Traffic Server, Debian Debian Linux.