CVE-2018-8040

MEDIUM

Description

Pages that are rendered using the ESI plugin can have access to the cookie header when the plugin is configured not to allow access. This affects Apache Traffic Server (ATS) versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.

References

http://www.securityfocus.com/bid/105181

https://github.com/apache/trafficserver/pull/3926

https://lists.apache.org/thread.html/[email protected]%3Cusers.trafficserver.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cusers.trafficserver.apache.org%3E

https://www.debian.org/security/2018/dsa-4282

Details

Source: MITRE

Published: 2018-08-29

Updated: 2018-11-08

Type: CWE-284

Risk Information

CVSS v2.0

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3.0

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Impact Score: 1.4

Exploitability Score: 3.9

Severity: MEDIUM