CVE-2024-35296 - Vulnerability Details - OpenCVE

Invalid Accept-Encoding header can cause Apache Traffic Server to fail cache lookup and force forwarding requests.

This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.

Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00302.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Apache	Traffic Server

Configuration 1 [-]

OR	cpe:2.3:a:apache:traffic_server::::::::
	cpe:2.3:a:apache:traffic_server::::::::

No data.

No data.

References

Link	Providers
https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0

History

Mon, 12 Aug 2024 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache traffic Server
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:apache:traffic_server::::::::
Vendors & Products		Apache Apache traffic Server
Metrics		cvssV3_1 `{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L'}`

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-07-26T09:11:11.221Z

Updated: 2025-03-27T15:30:14.777Z

Reserved: 2024-05-15T21:41:36.675Z

Link: CVE-2024-35296

Vulnrichment

Updated: 2024-08-02T03:07:46.831Z

NVD

Status : Modified

Published: 2024-07-26T10:15:02.713

Modified: 2025-03-27T16:15:23.977

Link: CVE-2024-35296

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-35296", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-05-15T21:41:36.675Z", "datePublished": "2024-07-26T09:11:11.221Z", "dateUpdated": "2025-03-27T15:30:14.777Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Traffic Server", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "8.1.10", "status": "affected", "version": "8.0.0", "versionType": "semver"}, {"lessThanOrEqual": "9.2.4", "status": "affected", "version": "9.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Min Chen"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Invalid Accept-Encoding header can cause Apache Traffic Server to fail cache lookup and force forwarding requests.</p><p>This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.</p><p>Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.</p>"}], "value": "Invalid Accept-Encoding header can cause Apache Traffic Server to fail cache lookup and force forwarding requests.\n\nThis issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.\n\nUsers are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-07-26T09:11:11.221Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Traffic Server: Invalid Accept-Encoding can force forwarding requests", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-07-26T14:01:18.718161Z", "id": "CVE-2024-35296", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-27T15:30:14.777Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:07:46.831Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:07:46.831Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-35296", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-26T14:01:18.718161Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-26T20:18:09.335Z"}}], "cna": {"title": "Apache Traffic Server: Invalid Accept-Encoding can force forwarding requests", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "Min Chen"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Traffic Server", "versions": [{"status": "affected", "version": "8.0.0", "versionType": "semver", "lessThanOrEqual": "8.1.10"}, {"status": "affected", "version": "9.0.0", "versionType": "semver", "lessThanOrEqual": "9.2.4"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Invalid Accept-Encoding header can cause Apache Traffic Server to fail cache lookup and force forwarding requests.\n\nThis issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.\n\nUsers are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>Invalid Accept-Encoding header can cause Apache Traffic Server to fail cache lookup and force forwarding requests.</p><p>This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.</p><p>Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-07-26T09:11:11.221Z"}}}, "cveMetadata": {"cveId": "CVE-2024-35296", "state": "PUBLISHED", "dateUpdated": "2025-03-27T15:30:14.777Z", "dateReserved": "2024-05-15T21:41:36.675Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2024-07-26T09:11:11.221Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "E4F8362B-1EAE-453D-B231-744F00ED33BF", "versionEndExcluding": "8.1.11", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "5DEB7909-4350-4D44-BAA2-72BEF6E132C1", "versionEndExcluding": "9.2.5", "versionStartIncluding": "9.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Invalid Accept-Encoding header can cause Apache Traffic Server to fail cache lookup and force forwarding requests.\n\nThis issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.\n\nUsers are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue."}, {"lang": "es", "value": "Un encabezado Invalid Accept-Encoding puede provocar que Apache Traffic Server no pueda realizar una b\u00fasqueda en cach\u00e9 y fuerce el reenv\u00edo de solicitudes. Este problema afecta a Apache Traffic Server: de la versi\u00f3n 8.0.0 a la 8.1.10 y de la versi\u00f3n 9.0.0 a la 9.2.4. Se recomienda a los usuarios que actualicen a la versi\u00f3n 8.1.11 o 9.2.5, que soluciona el problema."}], "id": "CVE-2024-35296", "lastModified": "2025-03-27T16:15:23.977", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-07-26T10:15:02.713", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security@apache.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}