Ce mail provient de l'extérieur, restons vigilants

======================================================================

                               CERT-Renater

                     Note d'Information No. 2024/VULN475
_____________________________________________________________________

DATE                : 15/11/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Traffic Server versions
                                  prior to 9.2.6, 10.0.2.

=====================================================================
https://lists.apache.org/thread/jr0kk5xs2dzmb12203bbots7rpmtz50y
_____________________________________________________________________

[ANNOUNCE] Apache Traffic Server is vulnerable to specific user inputs


Description:
Apache Traffic Server is vulnerable to specific user inputs

CVE:
CVE-2024-38479 - Cache key plugin is vulnerable to cache poisoning
attack
CVE-2024-50305 - Valid Host field value can cause crashes
CVE-2024-50306 - Server process can fail to drop privilege


Reported By:
Bryan Call (CVE-2024-38479)
Masakazu Kitajo (CVE-2024-50305)
Jeffrey BENCTEUX (CVE-2024-50306)


Vendor:
The Apache Software Foundation


Version Affected:
ATS 9.0.0 to 9.2.5 (CVE-2024-38479, CVE-2024-50305, CVE-2024-50306)
ATS 10.0.0 to 10.0.1 (CVE-2024-50306)


Mitigation:
9.x users should upgrade to 9.2.6 or later versions
10.x users should upgrade to 10.0.2 or later versions


CVE:
https://www.cve.org/CVERecord?id=CVE-2024-38479
https://www.cve.org/CVERecord?id=CVE-2024-50305
https://www.cve.org/CVERecord?id=CVE-2024-50306


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================