QwikSec

Security Database

CVE

CWE

Training

CVE-2018-8040

Published: Aug 29, 2018

Modified: Sep 17, 2024

PUBLISHED

Description

Pages that are rendered using the ESI plugin can have access to the cookie header when the plugin is configured not to allow access. This affects Apache Traffic Server (ATS) versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.

Vendor	Product	Versions
Apache Software Foundation	Apache Traffic Server	affected `6.0.0 to 6.2.2` affected `7.0.0 to 7.1.3`

References

https://github.com/apache/trafficserver/pull/3926

x_refsource_CONFIRM

[trafficserver-users] 20180828 [ANNOUNCE] Apache Traffic Server vulnerability with header variable access in the ESI plugin - CVE-2018-8040

mailing-list

x_refsource_MLIST

[trafficserver-users] 20180828 Re: [ANNOUNCE] Apache Traffic Server vulnerability with header variable access in the ESI plugin - CVE-2018-8040

mailing-list

x_refsource_MLIST

vendor-advisory

x_refsource_DEBIAN

vdb-entry

x_refsource_BID

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.