{"api_version":"1","generated_at":"2026-07-11T07:33:47+00:00","cve":"CVE-2018-11783","urls":{"html":"https://cve.report/CVE-2018-11783","api":"https://cve.report/api/cve/CVE-2018-11783.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-11783","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-11783"},"summary":{"title":"CVE-2018-11783","description":"sslheaders plugin extracts information from the client certificate and sets headers in the request based on the configuration of the plugin. The plugin doesn't strip the headers from the request in some scenarios. This problem was discovered in versions 6.0.0 to 6.0.3, 7.0.0 to 7.1.5, and 8.0.0 to 8.0.1.","state":"PUBLIC","assigner":"security@apache.org","published_at":"2019-03-07 18:29:00","updated_at":"2023-11-07 02:51:00"},"problem_types":["CWE-200"],"metrics":[],"references":[{"url":"http://www.securityfocus.com/bid/107032","name":"107032","refsource":"BID","tags":["Third Party Advisory"],"title":"Apache Traffic Server sslheader Plugin CVE-2018-11783 Information Disclosure Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://lists.apache.org/thread.html/4f102f943935476732fb1fb653d687c7b69d29d9792f0d6cf72c505e@%3Cannounce.trafficserver.apache.org%3E","name":"[trafficserver-announce] 20190212 [ANNOUNCE] Apache Traffic Server vulnerability with sslheader plugin","refsource":"MLIST","tags":["Mailing List","Third Party Advisory"],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/4f102f943935476732fb1fb653d687c7b69d29d9792f0d6cf72c505e%40%3Cannounce.trafficserver.apache.org%3E","name":"[trafficserver-announce] 20190212 [ANNOUNCE] Apache Traffic Server vulnerability with sslheader plugin","refsource":"","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-11783","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-11783","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"11783","vulnerable":"1","versionEndIncluding":"6.0.3","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"traffic_server","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"11783","vulnerable":"1","versionEndIncluding":"7.1.5","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"traffic_server","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"11783","vulnerable":"1","versionEndIncluding":"8.0.1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"traffic_server","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@apache.org","DATE_PUBLIC":"2019-02-12T00:00:00","ID":"CVE-2018-11783","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Apache Traffic Server","version":{"version_data":[{"version_value":"Apache Traffic Server 6.0.0 to 6.0.3, 7.0.0 to 7.1.5, 8.0.0 to 8.0.1"}]}}]},"vendor_name":"Apache Software Foundation"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"sslheaders plugin extracts information from the client certificate and sets headers in the request based on the configuration of the plugin. The plugin doesn't strip the headers from the request in some scenarios. This problem was discovered in versions 6.0.0 to 6.0.3, 7.0.0 to 7.1.5, and 8.0.0 to 8.0.1."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Information Disclosure"}]}]},"references":{"reference_data":[{"name":"107032","refsource":"BID","url":"http://www.securityfocus.com/bid/107032"},{"name":"[trafficserver-announce] 20190212 [ANNOUNCE] Apache Traffic Server vulnerability with sslheader plugin","refsource":"MLIST","url":"https://lists.apache.org/thread.html/4f102f943935476732fb1fb653d687c7b69d29d9792f0d6cf72c505e@%3Cannounce.trafficserver.apache.org%3E"}]}},"nvd":{"publishedDate":"2019-03-07 18:29:00","lastModifiedDate":"2023-11-07 02:51:00","problem_types":["CWE-200"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*","versionStartIncluding":"8.0.0","versionEndIncluding":"8.0.1","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0.0","versionEndIncluding":"6.0.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0.0","versionEndIncluding":"7.1.5","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"11783","Ordinal":"128276","Title":"CVE-2018-11783","CVE":"CVE-2018-11783","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"11783","Ordinal":"1","NoteData":"sslheaders plugin extracts information from the client certificate and sets headers in the request based on the configuration of the plugin. The plugin doesn't strip the headers from the request in some scenarios. This problem was discovered in versions 6.0.0 to 6.0.3, 7.0.0 to 7.1.5, and 8.0.0 to 8.0.1.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"11783","Ordinal":"2","NoteData":"2019-03-07","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"11783","Ordinal":"3","NoteData":"2019-03-08","Type":"Other","Title":"Modified"}]}}}