You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@trafficserver.apache.org by Bryan Call <bc...@apache.org> on 2018/08/28 22:39:51 UTC
[ANNOUNCE] Apache Traffic Server vulnerability with header variable
access in the ESI plugin - CVE-2018-8040
CVE-2018-8040: Apache Traffic Server vulnerability with header variable access in the ESI plugin
Reported By:
Louis Dion-Marcil
Vendor:
The Apache Software Foundation
Version Affected:
ATS 6.0.0 to 6.2.2
ATS 7.0.0 to 7.1.2
Description:
Pages that are rendered using the ESI plugin can have access to the cookie header when the plugin is configure not to allow access.
Mitigation:
6.x users should upgrade to 6.2.3 or later versions
7.x users should upgrade to 7.1.3 or later versions
References:
Downloads:
https://trafficserver.apache.org/downloads
Github Pull Request:
https://github.com/apache/trafficserver/pull/3926
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8040
-Bryan
Re: [ANNOUNCE] Apache Traffic Server vulnerability with header
variable access in the ESI plugin - CVE-2018-8040
Posted by Bryan Call <bc...@apache.org>.
There was an error in the Version Affected section. This also effects version 7.1.3 and users running 7.x should upgrade to 7.1.4 or later versions.
Thank you,
-Bryan
> On Aug 28, 2018, at 3:39 PM, Bryan Call <bc...@apache.org> wrote:
>
> CVE-2018-8040: Apache Traffic Server vulnerability with header variable access in the ESI plugin
>
> Reported By:
> Louis Dion-Marcil
>
> Vendor:
> The Apache Software Foundation
>
> Version Affected:
> ATS 6.0.0 to 6.2.2
> ATS 7.0.0 to 7.1.2
>
> Description:
> Pages that are rendered using the ESI plugin can have access to the cookie header when the plugin is configure not to allow access.
>
> Mitigation:
> 6.x users should upgrade to 6.2.3 or later versions
> 7.x users should upgrade to 7.1.3 or later versions
>
> References:
> Downloads:
> https://trafficserver.apache.org/downloads
> Github Pull Request:
> https://github.com/apache/trafficserver/pull/3926
> CVE:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8040
>
> -Bryan
>
>
>
Re: [ANNOUNCE] Apache Traffic Server vulnerability with header
variable access in the ESI plugin - CVE-2018-8040
Posted by Bryan Call <bc...@apache.org>.
There was an error in the Version Affected section. This also effects version 7.1.3 and users running 7.x should upgrade to 7.1.4 or later versions.
Thank you,
-Bryan
> On Aug 28, 2018, at 3:39 PM, Bryan Call <bc...@apache.org> wrote:
>
> CVE-2018-8040: Apache Traffic Server vulnerability with header variable access in the ESI plugin
>
> Reported By:
> Louis Dion-Marcil
>
> Vendor:
> The Apache Software Foundation
>
> Version Affected:
> ATS 6.0.0 to 6.2.2
> ATS 7.0.0 to 7.1.2
>
> Description:
> Pages that are rendered using the ESI plugin can have access to the cookie header when the plugin is configure not to allow access.
>
> Mitigation:
> 6.x users should upgrade to 6.2.3 or later versions
> 7.x users should upgrade to 7.1.3 or later versions
>
> References:
> Downloads:
> https://trafficserver.apache.org/downloads
> Github Pull Request:
> https://github.com/apache/trafficserver/pull/3926
> CVE:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8040
>
> -Bryan
>
>
>
Re: [ANNOUNCE] Apache Traffic Server vulnerability with header
variable access in the ESI plugin - CVE-2018-8040
Posted by Bryan Call <bc...@apache.org>.
There was an error in the Version Affected section. This also effects version 7.1.3 and users running 7.x should upgrade to 7.1.4 or later versions.
Thank you,
-Bryan
> On Aug 28, 2018, at 3:39 PM, Bryan Call <bc...@apache.org> wrote:
>
> CVE-2018-8040: Apache Traffic Server vulnerability with header variable access in the ESI plugin
>
> Reported By:
> Louis Dion-Marcil
>
> Vendor:
> The Apache Software Foundation
>
> Version Affected:
> ATS 6.0.0 to 6.2.2
> ATS 7.0.0 to 7.1.2
>
> Description:
> Pages that are rendered using the ESI plugin can have access to the cookie header when the plugin is configure not to allow access.
>
> Mitigation:
> 6.x users should upgrade to 6.2.3 or later versions
> 7.x users should upgrade to 7.1.3 or later versions
>
> References:
> Downloads:
> https://trafficserver.apache.org/downloads
> Github Pull Request:
> https://github.com/apache/trafficserver/pull/3926
> CVE:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8040
>
> -Bryan
>
>
>