Description: ATS is vulnerable to malformed requests, and also has ACL issues
CVE: CVE-2024-38311 - Request smuggling via pipelining after a chunked message body CVE-2024-56195 - Intercept plugins are not access controlled CVE-2024-56196 - ACL is not fully compatible with older versions CVE-2024-56202 - Expect header field can unreasonably retain resource Reported By: Ben Kallus (CVE-2024-38311) Masaori Koshiba (CVE-2024-56195) Chris McFarlen (CVE-2024-56196) David Carlin (CVE-2024-56202) Vendor: The Apache Software Foundation Version Affected: ATS 9.0.0 to 9.2.8 (CVE-2024-38311, CVE-2024-56195, CVE-2024-56202) ATS 10.0.0 to 10.0.3 (CVE-2024-38311, CVE-2024-56195, CVE-2024-56196, CVE-2024-56202) Mitigation: 9.x users should upgrade to 9.2.9 or later versions 10.x users should upgrade to 10.0.4 or later versions CVE: https://www.cve.org/CVERecord?id=CVE-2024-38311 https://www.cve.org/CVERecord?id=CVE-2024-56195 https://www.cve.org/CVERecord?id=CVE-2024-56196 https://www.cve.org/CVERecord?id=CVE-2024-56202
