trafficserver-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bryan Call <bc...@apache.org>
Subject Re: [ANNOUNCE] Apache Traffic Server vulnerability with header variable access in the ESI plugin - CVE-2018-8040
Date Wed, 29 Aug 2018 00:17:01 GMT
There was an error in the Version Affected section.  This also effects version 7.1.3 and users
running 7.x should upgrade to 7.1.4 or later versions.

Thank you,

-Bryan



> On Aug 28, 2018, at 3:39 PM, Bryan Call <bcall@apache.org> wrote:
> 
> CVE-2018-8040: Apache Traffic Server vulnerability with header variable access in the
ESI plugin
> 
> Reported By:
> Louis Dion-Marcil
> 
> Vendor:
> The Apache Software Foundation
> 
> Version Affected:
> ATS 6.0.0 to 6.2.2
> ATS 7.0.0 to 7.1.2
> 
> Description:
> Pages that are rendered using the ESI plugin can have access to the cookie header when
the plugin is configure not to allow access.
> 
> Mitigation:
> 6.x users should upgrade to 6.2.3 or later versions
> 7.x users should upgrade to 7.1.3 or later versions
> 
> References:
> 	Downloads:
> 		https://trafficserver.apache.org/downloads
> 	Github Pull Request:
> 		https://github.com/apache/trafficserver/pull/3926
> 	CVE:
> 		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8040
> 
> -Bryan
> 
> 
> 


Mime
View raw message