Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed     requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning     if the origin servers are vulnerable. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10,     from 9.0.0 through 9.2.4. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the     issue. (CVE-2023-38522)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3897 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-3897-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                          Adrian Bunk     September 27, 2024                            https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : trafficserver     Version        : 8.1.11+ds-0+deb11u1     CVE ID         : CVE-2023-38522 CVE-2024-35161 CVE-2024-35296     Debian Bug     : 1077141

    Multiple vulnerabilities were fixed in trafficserver,     a caching proxy server.

    CVE-2023-38522

        Incomplete field name check allows request smuggling

    CVE-2024-35161

        Incomplete check for chunked trailer section allows         request smuggling

    CVE-2024-35296

        Invalid Accept-Encoding can force forwarding requests

    For Debian 11 bullseye, these problems have been fixed in version     8.1.11+ds-0+deb11u1.

    We recommend that you upgrade your trafficserver packages.

    For the detailed security status of trafficserver please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/trafficserver

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5758 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-5758-1                   security@debian.org     https://www.debian.org/security/                       Moritz Muehlenhoff     August 26, 2024                       https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : trafficserver     CVE ID         : CVE-2023-38522 CVE-2024-35161 CVE-2024-35296

    Several vulnerabilities were discovered in Apache Traffic Server,     a reverse and forward proxy server, which could result in denial     of service or request smuggling.

    For the stable distribution (bookworm), these problems have been fixed in     version 9.2.5+ds-0+deb12u1.

    We recommend that you upgrade your trafficserver packages.

    For the detailed security status of trafficserver please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/trafficserver

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self reported version, the remote Apache Traffic Server install is affected by multiple vulnerabilities.

  - Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. This can be utilized for     request smuggling and may also lead cache poisoning if the origin servers are vulnerable. (CVE-2024-35161)

  - Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests     to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin     servers are vulnerable. (CVE-2023-38522)

  - Invalid Accept-Encoding header can cause Apache Traffic Server to fail cache lookup and force forwarding requests     (CVE-2024-35296)

Note that Nessus did not actually test for these issues, but instead has relied on the version found in the server's banner.

The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-2243c5abee advisory.

    Update to upstream 9.2.5     Resolves CVE-2023-38522, CVE-2024-35161, CVE-2024-35296

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 40 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-77fe791124 advisory.

    Update to upstream 9.2.5     Resolves CVE-2023-38522, CVE-2024-35161, CVE-2024-35296

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
246853	Linux Distros Unpatched Vulnerability : CVE-2023-38522	Nessus	Misc.	high
207853	Debian dla-3897 : trafficserver - security update	Nessus	Debian Local Security Checks	high
206207	Debian dsa-5758 : trafficserver - security update	Nessus	Debian Local Security Checks	high
205310	Apache Traffic Server 8.x < 8.1.11 / 9.x < 9.2.5 Multiple Vulnerabilities	Nessus	Web Servers	high
204987	Fedora 39 : trafficserver (2024-2243c5abee)	Nessus	Fedora Local Security Checks	high
204985	Fedora 40 : trafficserver (2024-77fe791124)	Nessus	Fedora Local Security Checks	high

Detections

Analytics

CVE-2023-38522

high

Tenable Plugins

high

high

high

high

high

high