Vulnerability Description
Pages that are rendered using the ESI plugin can have access to the cookie header when the plugin is configured not to allow access. This affects Apache Traffic Server (ATS) versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Traffic Server | >= 6.0.0, <= 6.2.2 |
| Debian | Debian Linux | 9.0 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/105181Third Party AdvisoryVDB Entry
- https://github.com/apache/trafficserver/pull/3926PatchThird Party Advisory
- https://lists.apache.org/thread.html/36b3df68fe7311965f6bc4630ca413d2aa99d8f1d53
- https://lists.apache.org/thread.html/cc7aa2ce1c6f4fe0c6bfef517763cdaad30ec7bcb01
- https://www.debian.org/security/2018/dsa-4282Third Party Advisory
- http://www.securityfocus.com/bid/105181Third Party AdvisoryVDB Entry
- https://github.com/apache/trafficserver/pull/3926PatchThird Party Advisory
- https://lists.apache.org/thread.html/36b3df68fe7311965f6bc4630ca413d2aa99d8f1d53
- https://lists.apache.org/thread.html/cc7aa2ce1c6f4fe0c6bfef517763cdaad30ec7bcb01
- https://www.debian.org/security/2018/dsa-4282Third Party Advisory
FAQ
What is CVE-2018-8040?
CVE-2018-8040 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Pages that are rendered using the ESI plugin can have access to the cookie header when the plugin is configured not to allow access. This affects Apache Traffic Server (ATS) versions 6.0.0 to 6.2.2 an...
How severe is CVE-2018-8040?
CVE-2018-8040 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-8040?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Traffic Server, Debian Debian Linux.