Valid Host header field can cause Apache Traffic Server to crash on some platforms. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.5. Users are recommended to upgrade to version 9.2.6, which fixes the issue, or 10.0.2, which does not have the issue.

The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.10 host has packages installed that are affected by a vulnerability as referenced in the USN-8050-1 advisory.

    Masakazu Kitajo discovered that Apache Traffic Server did not properly handle the Valid Host header field.
    An attacker could possibly use this issue to cause a denial of service (DoS).

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Valid Host header field can cause Apache Traffic Server to crash on some platforms. This issue affects     Apache Traffic Server: from 9.2.0 through 9.2.5. Users are recommended to upgrade to version 9.2.6, which     fixes the issue, or 10.0.2, which does not have the issue. (CVE-2024-50305)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote Debian 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5896 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-5896-1                   security@debian.org     https://www.debian.org/security/                       Moritz Muehlenhoff     April 05, 2025                        https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : trafficserver     CVE ID         : CVE-2024-38311 CVE-2024-38479 CVE-2024-50305                      CVE-2024-50306 CVE-2024-56195 CVE-2024-56202

    Several vulnerabilities were discovered in Apache Traffic Server, a     reverse and forward proxy server, which could result in denial of     service, HTTP request smuggling, cache poisoning or incomplete     dropping of privileges.

    For the stable distribution (bookworm), these problems have been fixed in     version 9.2.5+ds-0+deb12u2.

    We recommend that you upgrade your trafficserver packages.

    For the detailed security status of trafficserver please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/trafficserver

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 41 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-f4dc07db08 advisory.

    - Update to upstream 9.2.6
    - Backport fix for broken oubound TLS with OpenSSL 3.2+
    - Resolves CVE-2024-38479, CVE-2024-50305, CVE-2024-50306


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-589ea34c42 advisory.

    - Update to upstream 9.2.6
    - Backport fix for broken oubound TLS with OpenSSL 3.2+
    - Resolves CVE-2024-38479, CVE-2024-50305, CVE-2024-50306


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 40 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-b3c4e8da81 advisory.

    - Update to upstream 9.2.6
    - Backport fix for broken oubound TLS with OpenSSL 3.2+
    - Resolves CVE-2024-38479, CVE-2024-50305, CVE-2024-50306


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
299635	Ubuntu 22.04 LTS / 24.04 LTS / 25.10 : Apache Traffic Server vulnerability (USN-8050-1)	Nessus	Ubuntu Local Security Checks	high
258538	Linux Distros Unpatched Vulnerability : CVE-2024-50305	Nessus	Misc.	high
233897	Debian dsa-5896 : trafficserver - security update	Nessus	Debian Local Security Checks	critical
211719	Fedora 41 : trafficserver (2024-f4dc07db08)	Nessus	Fedora Local Security Checks	critical
211717	Fedora 39 : trafficserver (2024-589ea34c42)	Nessus	Fedora Local Security Checks	critical
211716	Fedora 40 : trafficserver (2024-b3c4e8da81)	Nessus	Fedora Local Security Checks	critical

Detections

Analytics

CVE-2024-50305

high

Tenable Plugins

high

high

critical

critical

critical

critical