CVE-2018-8040
Summary
| CVE | CVE-2018-8040 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2018-08-29 13:29:00 UTC |
| Updated | 2023-11-07 03:01:00 UTC |
| Description | Pages that are rendered using the ESI plugin can have access to the cookie header when the plugin is configured not to allow access. This affects Apache Traffic Server (ATS) versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions. |
Risk And Classification
Problem Types: CWE-668
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Traffic Server | All | All | All | All |
| Application | Apache | Traffic Server | All | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Malformed Request | BID | www.securityfocus.com | Third Party Advisory, VDB Entry |
| Debian -- Security Information -- DSA-4282-1 trafficserver | DEBIAN | www.debian.org | Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Restrict access to request headers for ESI variables by shukitchan · Pull Request #3926 · apache/trafficserver · GitHub | CONFIRM | github.com | Patch, Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Mitigation, Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.