You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@trafficserver.apache.org by Bryan Call <bc...@apache.org> on 2022/08/10 18:38:32 UTC

ANNOUNCE] Apache Traffic Server is vulnerable to smuggle attack

There was a CVE missing in the announcement yesterday and it is also covered in the 8.1.5 and 9.1.3 releases.

Description:
ATS is vulnerable to smuggle attacks

CVE (8.1.x and 9.1.x):
CVE-2022-31779 Improper HTTP/2 scheme and method validation

Reported By:
Tony Regins (CVE-2022-31779)

Vendor:
The Apache Software Foundation

Version Affected:
ATS 8.0.0 to 8.1.4
ATS 9.0.0 to 9.1.2

Mitigation:
8.x users should upgrade to 8.1.5 or later versions
9.x users should upgrade to 9.1.3 or later versions

References:
Downloads:
https://trafficserver.apache.org/downloads <https://trafficserver.apache.org/downloads>
(Please use backup sites from the link only if the mirrors are unavailable)
CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31779 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31779>

-Bryan