OpenCVE

Improper Input Validation vulnerability for the xdebug plugin in Apache Software Foundation Apache Traffic Server can lead to cross site scripting and cache poisoning attacks.This issue affects Apache Traffic Server: 9.0.0 to 9.1.3. Users should upgrade to 9.1.4 or later versions.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Traffic Server

Configuration 1 [-]

OR	cpe:2.3:a:apache:traffic_server::::::::
	cpe:2.3:a:apache:traffic_server::::::::

No data.

References

Link	Providers
https://lists.apache.org/thread/mrj2lg4s0hf027rk7gz8t7hbn9xpfg02

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2022-12-19T11:06:14.186Z

Updated: 2024-08-03T12:28:41.365Z

Reserved: 2022-09-16T15:16:34.382Z

Link: CVE-2022-40743

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-12-19T12:15:11.040

Modified: 2023-07-17T15:15:09.407

Link: CVE-2022-40743

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-40743", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "requesterUserId": "01d7ebfd-4418-401d-b8e4-f5ae3da29160", "dateReserved": "2022-09-16T15:16:34.382Z", "datePublished": "2022-12-19T11:06:14.186Z", "dateUpdated": "2024-08-03T12:28:41.365Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Traffic Server", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "9.1.3", "status": "affected", "version": "9.0.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nick Frost"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Input Validation vulnerability for the xdebug plugin in Apache Software Foundation Apache Traffic Server can lead to cross site scripting and cache poisoning attacks.<p>This issue affects Apache Traffic Server: 9.0.0 to 9.1.3. Users should upgrade to 9.1.4 or later versions.<br></p>"}], "value": "Improper Input Validation vulnerability for the xdebug plugin in Apache Software Foundation Apache Traffic Server can lead to cross site scripting and cache poisoning attacks.This issue affects Apache Traffic Server: 9.0.0 to 9.1.3. Users should upgrade to 9.1.4 or later versions.\n\n"}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-07-17T14:33:10.180Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/mrj2lg4s0hf027rk7gz8t7hbn9xpfg02"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Traffic Server: Security issues with the xdebug plugin", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Disable the xdebug plugin or change the default header to activate the plugin."}], "value": "Disable the xdebug plugin or change the default header to activate the plugin."}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:28:41.365Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/mrj2lg4s0hf027rk7gz8t7hbn9xpfg02"}]}]}}