Description: ATS is vulnerable to access control, DOS, and cache poison attacks
CVE (8.1.x and 9.2.x): CVE-2022-47185 - Invalid Range header causes a crash CVE-2023-33934 - Differential Fuzzing for HTTP Request Parsing Discrepancies Reported By: Katsutoshi Ikenoya (CVE-2022-47185) Bahruz Jabiyev, Anthony Gavazzi, Engin Kirda, Kaan Onarlioglu, Adi Peleg, Harvey Tuch (CVE-2023-33934) Vendor: The Apache Software Foundation Version Affected: ATS 8.0.0 to 8.1.7 ATS 9.0.0 to 9.2.1 Mitigation: 8.x users should upgrade to 8.1.8 or later versions 9.x users should upgrade to 9.2.2 or later versions References: Downloads: https://trafficserver.apache.org/downloads (Please use backup sites from the link only if the mirrors are unavailable) CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47185 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33934 -Bryan
