OpenCVE

Improper Input Validation vulnerability in handling the Transfer-Encoding header of Apache Traffic Server allows an attacker to poison the cache. This issue affects Apache Traffic Server 8.0.0 to 9.0.2.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Traffic Server
Debian	Debian Linux

Configuration 1 [-]

OR	cpe:2.3:a:apache:traffic_server::::::::
	cpe:2.3:a:apache:traffic_server::::::::

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21
https://lists.debian.org/debian-lts-announce/2023/04/msg00007.html
https://www.debian.org/security/2022/dsa-5206

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2022-08-10T00:00:00

Updated: 2024-08-03T07:26:01.210Z

Reserved: 2022-05-27T00:00:00

Link: CVE-2022-31778

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-08-10T06:15:08.567

Modified: 2023-04-06T01:15:06.877

Link: CVE-2022-31778

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-31778", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "dateUpdated": "2024-08-03T07:26:01.210Z", "dateReserved": "2022-05-27T00:00:00", "datePublished": "2022-08-10T00:00:00"}, "containers": {"cna": {"title": "Transfer-Encoding not treated as hop-by-hop", "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-04-06T00:00:00"}, "descriptions": [{"lang": "en", "value": "Improper Input Validation vulnerability in handling the Transfer-Encoding header of Apache Traffic Server allows an attacker to poison the cache. This issue affects Apache Traffic Server 8.0.0 to 9.0.2."}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Traffic Server", "versions": [{"version": "8.0.0 to 9.0.2", "status": "affected"}]}], "references": [{"url": "https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21"}, {"name": "DSA-5206", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2022/dsa-5206"}, {"name": "[debian-lts-announce] 20230405 [SECURITY] [DLA 3385-1] trafficserver security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00007.html"}], "credits": [{"lang": "en", "value": "Apache Traffic Server would like to thank Chris Lemmons for reporting this issue."}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-20 Improper Input Validation", "cweId": "CWE-20"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:26:01.210Z"}, "title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21", "tags": ["x_transferred"]}, {"name": "DSA-5206", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2022/dsa-5206"}, {"name": "[debian-lts-announce] 20230405 [SECURITY] [DLA 3385-1] trafficserver security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00007.html"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "4FB9AB3D-9CA6-4BF3-89F3-DC2338C77442", "versionEndIncluding": "8.1.4", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "B7CE24A3-D4B2-4C92-85CA-F156C1C5B44D", "versionEndIncluding": "9.1.2", "versionStartIncluding": "9.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Input Validation vulnerability in handling the Transfer-Encoding header of Apache Traffic Server allows an attacker to poison the cache. This issue affects Apache Traffic Server 8.0.0 to 9.0.2."}, {"lang": "es", "value": "Una vulnerabilidad de Comprobaci\u00f3n de Entrada Inapropiada en el manejo de el encabezado Transfer-Encoding de Apache Traffic Server permite a un atacante envenenar la cach\u00e9. Este problema afecta a Apache Traffic Server versiones 8.0.0 a 9.0.2"}], "id": "CVE-2022-31778", "lastModified": "2023-04-06T01:15:06.877", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-10T06:15:08.567", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21"}, {"source": "security@apache.org", "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00007.html"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5206"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security@apache.org", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Secondary"}]}