{"api_version":"1","generated_at":"2026-06-30T13:52:10+00:00","cve":"CVE-2018-8004","urls":{"html":"https://cve.report/CVE-2018-8004","api":"https://cve.report/api/cve/CVE-2018-8004.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-8004","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-8004"},"summary":{"title":"CVE-2018-8004","description":"There are multiple HTTP smuggling and cache poisoning issues when clients making malicious requests interact with Apache Traffic Server (ATS). This affects versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.","state":"PUBLIC","assigner":"security@apache.org","published_at":"2018-08-29 13:29:00","updated_at":"2023-11-07 03:01:00"},"problem_types":["CWE-444"],"metrics":[],"references":[{"url":"https://lists.apache.org/thread.html/7df882eb09029a4460768a61f88a30c9c30c9dc88e9bcc6e19ba24d5%40%3Cusers.trafficserver.apache.org%3E","name":"[trafficserver-users] 20180828 [ANNOUNCE] Apache Traffic Server vulnerability with multiple HTTP smuggling and cache poisoning attacks - CVE-2018-8004","refsource":"","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.debian.org/security/2018/dsa-4282","name":"DSA-4282","refsource":"DEBIAN","tags":["Third Party Advisory"],"title":"Debian -- Security Information -- DSA-4282-1 trafficserver","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/apache/trafficserver/pull/3201","name":"https://github.com/apache/trafficserver/pull/3201","refsource":"CONFIRM","tags":["Patch","Third Party Advisory"],"title":"Close the connection when returning a 400 error response by bryancall · Pull Request #3201 · apache/trafficserver · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/105192","name":"105192","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Apache Traffic Server CVE-2018-8004 Multiple Security Vulnerabilities","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://lists.apache.org/thread.html/7df882eb09029a4460768a61f88a30c9c30c9dc88e9bcc6e19ba24d5@%3Cusers.trafficserver.apache.org%3E","name":"[trafficserver-users] 20180828 [ANNOUNCE] Apache Traffic Server vulnerability with multiple HTTP smuggling and cache poisoning attacks - CVE-2018-8004","refsource":"MLIST","tags":["Mailing List","Vendor Advisory"],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/apache/trafficserver/pull/3192","name":"https://github.com/apache/trafficserver/pull/3192","refsource":"CONFIRM","tags":["Patch","Third Party Advisory"],"title":"Return 400 if there is whitespace after the field name and before the colon by bryancall · Pull Request #3192 · apache/trafficserver · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/apache/trafficserver/pull/3251","name":"https://github.com/apache/trafficserver/pull/3251","refsource":"CONFIRM","tags":["Patch","Third Party Advisory"],"title":"Drain the request body if there is a cache hit by bryancall · Pull Request #3251 · apache/trafficserver · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/apache/trafficserver/pull/3231","name":"https://github.com/apache/trafficserver/pull/3231","refsource":"CONFIRM","tags":["Patch","Third Party Advisory"],"title":"Validate Content-Length headers for incoming requests by bryancall · Pull Request #3231 · apache/trafficserver · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-8004","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-8004","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"8004","vulnerable":"1","versionEndIncluding":"6.2.2","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"traffic_server","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"8004","vulnerable":"1","versionEndIncluding":"7.1.3","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"traffic_server","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"8004","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"8004","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@apache.org","DATE_PUBLIC":"2018-08-28T00:00:00","ID":"CVE-2018-8004","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Apache Traffic Server","version":{"version_data":[{"version_value":"6.0.0 to 6.2.2"},{"version_value":"7.0.0 to 7.1.3"}]}}]},"vendor_name":"Apache Software Foundation"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"There are multiple HTTP smuggling and cache poisoning issues when clients making malicious requests interact with Apache Traffic Server (ATS). This affects versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Information Disclosure"}]}]},"references":{"reference_data":[{"name":"https://github.com/apache/trafficserver/pull/3201","refsource":"CONFIRM","url":"https://github.com/apache/trafficserver/pull/3201"},{"name":"https://github.com/apache/trafficserver/pull/3251","refsource":"CONFIRM","url":"https://github.com/apache/trafficserver/pull/3251"},{"name":"https://github.com/apache/trafficserver/pull/3192","refsource":"CONFIRM","url":"https://github.com/apache/trafficserver/pull/3192"},{"name":"105192","refsource":"BID","url":"http://www.securityfocus.com/bid/105192"},{"name":"DSA-4282","refsource":"DEBIAN","url":"https://www.debian.org/security/2018/dsa-4282"},{"name":"[trafficserver-users] 20180828 [ANNOUNCE] Apache Traffic Server vulnerability with multiple HTTP smuggling and cache poisoning attacks - CVE-2018-8004","refsource":"MLIST","url":"https://lists.apache.org/thread.html/7df882eb09029a4460768a61f88a30c9c30c9dc88e9bcc6e19ba24d5@%3Cusers.trafficserver.apache.org%3E"},{"name":"https://github.com/apache/trafficserver/pull/3231","refsource":"CONFIRM","url":"https://github.com/apache/trafficserver/pull/3231"}]}},"nvd":{"publishedDate":"2018-08-29 13:29:00","lastModifiedDate":"2023-11-07 03:01:00","problem_types":["CWE-444"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":2.9,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0.0","versionEndIncluding":"6.2.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0.0","versionEndIncluding":"7.1.3","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"8004","Ordinal":"124321","Title":"CVE-2018-8004","CVE":"CVE-2018-8004","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"8004","Ordinal":"1","NoteData":"There are multiple HTTP smuggling and cache poisoning issues when clients making malicious requests interact with Apache Traffic Server (ATS). This affects versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"8004","Ordinal":"2","NoteData":"2018-08-29","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"8004","Ordinal":"3","NoteData":"2018-09-02","Type":"Other","Title":"Modified"}]}}}