There was an error in the Version Affected section. This also effects version 7.1.3 and users
running 7.x should upgrade to 7.1.4 or later versions.
Thank you,
-Bryan
> On Aug 28, 2018, at 3:39 PM, Bryan Call <bcall@apache.org> wrote:
>
> CVE-2018-8040: Apache Traffic Server vulnerability with header variable access in the
ESI plugin
>
> Reported By:
> Louis Dion-Marcil
>
> Vendor:
> The Apache Software Foundation
>
> Version Affected:
> ATS 6.0.0 to 6.2.2
> ATS 7.0.0 to 7.1.2
>
> Description:
> Pages that are rendered using the ESI plugin can have access to the cookie header when
the plugin is configure not to allow access.
>
> Mitigation:
> 6.x users should upgrade to 6.2.3 or later versions
> 7.x users should upgrade to 7.1.3 or later versions
>
> References:
> Downloads:
> https://trafficserver.apache.org/downloads
> Github Pull Request:
> https://github.com/apache/trafficserver/pull/3926
> CVE:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8040
>
> -Bryan
>
>
>
|