6 important vulnerabilities in Apache Traffic Server: Patch immediately

Information security specialists reported the finding of multiple vulnerabilities in Apache Traffic Server. According to the report, successful exploitation of these flaws would allow compromising the affected systems.

Below are brief descriptions of the reported flaws, in addition to their tracking keys scores according to the Common Vulnerability Scoring System (CVSS).

CVE-2021-37147: The improper validation of HTTP requests would allow remote attackers to send specially crafted HTTP requests to the affected server and smuggle arbitrary HTTP headers.

This is a medium severity flaw and received a 5.5/10 CVSS score.

CVE-2021-37148: The improper validation of HTTP requests may allow remote malicious hackers to send specially designed HTTP requests to the affected servers, thus performing arbitrary HTTP smuggling. 

The vulnerability received a CVSS score of 5.3/10.

CVE-2021-37149: The improper validation of HTTP requests would allow remote malicioyus hackers to send specially designed HTTP requests to the compromised servers and perform arbitrary HTTP headers.

This is a low severity flaw and received a CVSS score of 5.3/10.

CVE-2021-41585: The improper management of internal resources would allow remote attackers to force the server to stop, which will eventually lead to a denial of service (DoS) condition.

The vulnerability received a 6.5/10 CVSS score.

CVE-2021-43082: A boundary error in the stats-over-http plugin would allow remote threat actors to send specially crafted traffic to the server and run arbitrary code on the affected system.

This is a high severity flaw and received an 8.5/10 CVSS score.

CVE-2021-38161: The improper verification of TLS origin would allow remote hackers to intercept and decrypt traffic from target clients.

The vulnerability received a CVSS score of 5.3/10.