There was an error in the Version Affected section. This also effects version 7.1.3 and users running 7.x should upgrade to 7.1.4 or later versions.
Thank you, -Bryan > On Aug 28, 2018, at 3:39 PM, Bryan Call <bc...@apache.org> wrote: > > CVE-2018-8040: Apache Traffic Server vulnerability with header variable > access in the ESI plugin > > Reported By: > Louis Dion-Marcil > > Vendor: > The Apache Software Foundation > > Version Affected: > ATS 6.0.0 to 6.2.2 > ATS 7.0.0 to 7.1.2 > > Description: > Pages that are rendered using the ESI plugin can have access to the cookie > header when the plugin is configure not to allow access. > > Mitigation: > 6.x users should upgrade to 6.2.3 or later versions > 7.x users should upgrade to 7.1.3 or later versions > > References: > Downloads: > https://trafficserver.apache.org/downloads > Github Pull Request: > https://github.com/apache/trafficserver/pull/3926 > CVE: > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8040 > > -Bryan > > >
