Description: ATS is vulnerable to smuggle, cache poison, and possible authorization attacks.
CVE (8.1.x and 9.1.x): CVE-2021-37150 Protocol vs scheme mismatch CVE-2022-25763 Improper input validation on HTTP/2 headers CVE-2022-28129 Insufficient Validation of HTTP/1.x Headers CVE-2022-31780 HTTP/2 framing vulnerabilities CVE (8.1.x): CVE-2022-31778 Transfer-Encoding not treated as hop-by-hop Reported By: Mazakatsu Kitajo, Tony Regins, and Zhang Zeyu (CVE-2022-25763) Zhang Zeyu (CVE-2022-28129) Bahruz Jabiyev, Steven Sprecher, Anthony Gavazzi, Tommaso Innocenti, Kaan Onarlioglu, and Engin Kirda (CVE-2022-31780) Chris Lemmons (CVE-2022-31778) Vendor: The Apache Software Foundation Version Affected: ATS 8.0.0 to 8.1.4 ATS 9.0.0 to 9.1.2 Mitigation: 8.x users should upgrade to 8.1.5 or later versions 9.x users should upgrade to 9.1.3 or later versions References: Downloads: https://trafficserver.apache.org/downloads (Please use backup sites from the link only if the mirrors are unavailable) CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37150 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25763 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28129 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31780 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31778 -Bryan
