{"api_version":"1","generated_at":"2026-06-29T13:26:52+00:00","cve":"CVE-2018-8005","urls":{"html":"https://cve.report/CVE-2018-8005","api":"https://cve.report/api/cve/CVE-2018-8005.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-8005","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-8005"},"summary":{"title":"CVE-2018-8005","description":"When there are multiple ranges in a range request, Apache Traffic Server (ATS) will read the entire object from cache. This can cause performance problems with large objects in cache. This affects versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x users should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.","state":"PUBLIC","assigner":"security@apache.org","published_at":"2018-08-29 13:29:00","updated_at":"2023-11-07 03:01:00"},"problem_types":["CWE-400"],"metrics":[],"references":[{"url":"https://github.com/apache/trafficserver/pull/3124","name":"https://github.com/apache/trafficserver/pull/3124","refsource":"CONFIRM","tags":["Third Party Advisory"],"title":"Disables the support for multi-range request by default by zwoop · Pull Request #3124 · apache/trafficserver · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.debian.org/security/2018/dsa-4282","name":"DSA-4282","refsource":"DEBIAN","tags":["Third Party Advisory"],"title":"Debian -- Security Information -- DSA-4282-1 trafficserver","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/55d225af92887bfed0194400fd1b718622cca4140fc7318d982e25ca%40%3Cusers.trafficserver.apache.org%3E","name":"[trafficserver-users] 20180828 [ANNOUNCE] Apache Traffic Server vulnerability with multi-range requests - CVE-2018-8005","refsource":"","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/105187","name":"105187","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Apache Traffic Server CVE-2018-8005 Denial of Service Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://lists.apache.org/thread.html/55d225af92887bfed0194400fd1b718622cca4140fc7318d982e25ca@%3Cusers.trafficserver.apache.org%3E","name":"[trafficserver-users] 20180828 [ANNOUNCE] Apache Traffic Server vulnerability with multi-range requests - CVE-2018-8005","refsource":"MLIST","tags":["Mailing List","Mitigation","Vendor Advisory"],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/apache/trafficserver/pull/3106","name":"https://github.com/apache/trafficserver/pull/3106","refsource":"CONFIRM","tags":["Third Party Advisory"],"title":"Adds a new configuration proxy.config.http.allow_multi_range by zwoop · Pull Request #3106 · apache/trafficserver · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-8005","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-8005","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"8005","vulnerable":"1","versionEndIncluding":"6.2.2","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"traffic_server","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"8005","vulnerable":"1","versionEndIncluding":"7.1.3","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"traffic_server","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"8005","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"8005","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@apache.org","DATE_PUBLIC":"2018-08-28T00:00:00","ID":"CVE-2018-8005","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Apache Traffic Server","version":{"version_data":[{"version_value":"6.0.0 to 6.2.2"},{"version_value":"7.0.0 to 7.1.3"}]}}]},"vendor_name":"Apache Software Foundation"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"When there are multiple ranges in a range request, Apache Traffic Server (ATS) will read the entire object from cache. This can cause performance problems with large objects in cache. This affects versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x users should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Information Disclosure"}]}]},"references":{"reference_data":[{"name":"[trafficserver-users] 20180828 [ANNOUNCE] Apache Traffic Server vulnerability with multi-range requests - CVE-2018-8005","refsource":"MLIST","url":"https://lists.apache.org/thread.html/55d225af92887bfed0194400fd1b718622cca4140fc7318d982e25ca@%3Cusers.trafficserver.apache.org%3E"},{"name":"DSA-4282","refsource":"DEBIAN","url":"https://www.debian.org/security/2018/dsa-4282"},{"name":"105187","refsource":"BID","url":"http://www.securityfocus.com/bid/105187"},{"name":"https://github.com/apache/trafficserver/pull/3106","refsource":"CONFIRM","url":"https://github.com/apache/trafficserver/pull/3106"},{"name":"https://github.com/apache/trafficserver/pull/3124","refsource":"CONFIRM","url":"https://github.com/apache/trafficserver/pull/3124"}]}},"nvd":{"publishedDate":"2018-08-29 13:29:00","lastModifiedDate":"2023-11-07 03:01:00","problem_types":["CWE-400"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW","baseScore":5.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:N/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"PARTIAL","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0.0","versionEndIncluding":"6.2.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0.0","versionEndIncluding":"7.1.3","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"8005","Ordinal":"124322","Title":"CVE-2018-8005","CVE":"CVE-2018-8005","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"8005","Ordinal":"1","NoteData":"When there are multiple ranges in a range request, Apache Traffic Server (ATS) will read the entire object from cache. This can cause performance problems with large objects in cache. This affects versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x users should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"8005","Ordinal":"2","NoteData":"2018-08-29","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"8005","Ordinal":"3","NoteData":"2018-09-02","Type":"Other","Title":"Modified"}]}}}