Description:
ATS is vulnerable to access control, DOS, and cache poison attacks
CVE (8.1.x and 9.2.x):
CVE-2022-47185 - Invalid Range header causes a crash
CVE-2023-33934 - Differential Fuzzing for HTTP Request Parsing Discrepancies
Reported By:
Katsutoshi Ikenoya (CVE-2022-47185)
Bahruz Jabiyev,
I was testing statichit plugin as replacement for healthchecks, and I
noticed the "@pparam=--max-age" option doesn't apply to failure-code
response cases.
The healthchecks plugin always includes "Cache-Control: no-cache"
for either 200 or 404 cases to prevent any intermediate devices from
caching
