Vulnerability description
Apache Traffic Server (ATS) is an open source reverse proxy and caching server.
In affected versions, since the HttpTransact class does not filter for invalid Range headers, and the URL class does not filter for repeated slashes in incoming URL parameters, attackers can exploit this vulnerability for access control, DOS, and caching of Apache Traffic Server Poison attack.
| Vulnerability name | Improper validation of Apache Traffic Server Range header |
|---|---|
| Vulnerability type | Improper input validation |
| Discovery time | 2023/8/9 |
| Vulnerability Breadth | Small |
| MPS number | MPS-c850-3fjg |
| CVE number | CVE-2023-33934 |
| CNVD number | - |
Sphere of influence
Apache Traffic Server@[8.0.0, 8.1.8)
Apache Traffic Server@[9.0.0, 9.2.2)
Repair plan
Upgrade Apache Traffic Server to 8.1.8, 9.2.2 or later
The official patch has been released: https://github.com/apache/trafficserver/commit/3640b5f8daefe7f9a8d7c060f3f2a0cb04eb7532
The official patch has been released: https://github.com/apache/trafficserver/commit/c50ee6c4f2ae32f2c849fccb5b0f367165fe9c20
reference link
https://www.oscs1024.com/hd/MPS-c850-3fjg
https://nvd.nist.gov/vuln/detail/CVE-2023-33934
https://lists.apache.org/thread/jsl6dfdgs1mjjo1mbtyflyjr7xftswhc
https://github.com/apache/trafficserver/commit/c50ee6c4f2ae32f2c849fccb5b0f367165fe9c20
https://github.com/apache/trafficserver/commit/3640b5f8daefe7f9a8d7c060f3f2a0cb04eb7532
About Murphy Security
Murphy Security is a technology company that provides you with professional software supply chain security management. The core team comes from Baidu, Huawei, Wuyun and other enterprises. The company provides customers with a complete software supply chain security management platform, and provides software with a full life cycle around SBOM Security management, platform capabilities include software component analysis, source security management, container image detection, vulnerability intelligence early warning and commercial software supply chain access assessment and other products. Provide customers with complete control capabilities from supply chain asset identification management, risk detection, security control, and one-key repair.
Open source project: https://github.com/murphysecurity/murphysec/?sf=qbyj
The product can be integrated with various tools in the existing development process at a very low cost, including seamless integration with dozens of tools such as IDE, Gitlab, Bitbucket, Jenkins, Harbor, and Nexus.
Free code security detection tool: https://www.murphysec.com/?sf=qbyj
Free intelligence subscription: https://www.oscs1024.com/cm/?sf=qbyj
