Description: ATS is vulnerable to smuggle, cache poison, and DOS attacks. CVE (8.1.x and 9.1.x): CVE-2022-32749 - Improperly handled requests can cause crashes in specific plugins CVE-2022-37392 - Improperly reading the client request body
CVE (9.1.x): CVE-2022-40743 - Security issues with the xdebug plugin Reported By: Vijay Mamidi (CVE-2022-32749) Menno de Gier (CVE-2022-37392) Nick Frost (CVE-2022-40743) Vendor: The Apache Software Foundation Version Affected: ATS 8.0.0 to 8.1.5 ATS 9.0.0 to 9.1.3 Mitigation: 8.x users should upgrade to 8.1.6 or later versions 9.x users should upgrade to 9.1.4 or later versions References: Downloads: https://trafficserver.apache.org/downloads (Please use backup sites from the link only if the mirrors are unavailable) CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32749 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37392 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40743 -Bryan
