Description: ATS is vulnerable to information disclose and cache poison attacks
CVE (8.1.x and 9.2.x): CVE-2022-47184 - The TRACE method can be used to disclose network information CVE-2023-30631 - Configuration option to block the PUSH method in ATS didn't work CVE-2023-33933 - s3_auth plugin problem with hash calculation Reported By: Martin O’Neal (CVE-2022-47184) Chris Lemmons (CVE-2023-30631) Masakazu Kitajo (CVE-2023-33933) Vendor: The Apache Software Foundation Version Affected: ATS 8.0.0 to 8.1.6 ATS 9.0.0 to 9.2.0 Mitigation: 8.x users should upgrade to 8.1.7 or later versions 9.x users should upgrade to 9.2.1 or later versions References: Downloads: https://trafficserver.apache.org/downloads (Please use backup sites from the link only if the mirrors are unavailable) CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47184 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30631 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33933 -Bryan
