Vulnerabilities > CVE-2018-8040 - Exposure of Resource to Wrong Sphere vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
LOW Availability impact
NONE Summary
Pages that are rendered using the ESI plugin can have access to the cookie header when the plugin is configured not to allow access. This affects Apache Traffic Server (ATS) versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family | Debian Local Security Checks |
NASL id | DEBIAN_DSA-4282.NASL |
description | Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in denial of service, cache poisoning or information disclosure. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 112232 |
published | 2018-09-04 |
reporter | This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/112232 |
title | Debian DSA-4282-1 : trafficserver - security update |
code |
|
References
- https://github.com/apache/trafficserver/pull/3926
- http://www.securityfocus.com/bid/105181
- https://www.debian.org/security/2018/dsa-4282
- https://lists.apache.org/thread.html/cc7aa2ce1c6f4fe0c6bfef517763cdaad30ec7bcb0115b73f73f3c01%40%3Cusers.trafficserver.apache.org%3E
- https://lists.apache.org/thread.html/36b3df68fe7311965f6bc4630ca413d2aa99d8f1d53affda85ea70d7%40%3Cusers.trafficserver.apache.org%3E