Sign-up

ID

VAR-202004-1820


CVE

CVE-2020-9481


TITLE

Apache Traffic Server resource management error vulnerability

Trust: 1.2

sources: CNVD: CNVD-2020-28765 // CNNVD: CNNVD-202004-2226

DESCRIPTION

Apache ATS 6.0.0 to 6.2.3, 7.0.0 to 7.1.9, and 8.0.0 to 8.0.6 is vulnerable to a HTTP/2 slow read attack. Apache ATS Exists in a resource exhaustion vulnerability.Service operation interruption (DoS) It may be put into a state. Apache Traffic Server (ATS) is a set of scalable HTTP proxy and cache servers for the Apache Software Foundation. An attacker can use this vulnerability to cause a denial of service. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4672-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 01, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : trafficserver CVE ID : CVE-2019-17559 CVE-2019-17565 CVE-2020-1944 CVE-2020-9481 Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in denial of service or request smuggling attacks. For the stable distribution (buster), these problems have been fixed in version 8.0.2+ds-1+deb10u2. We recommend that you upgrade your trafficserver packages. For the detailed security status of trafficserver please refer to its security tracker page at: https://security-tracker.debian.org/tracker/trafficserver Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl6sXUoACgkQEMKTtsN8 TjYFJA//VVLh3ighaQPMj9HhwDwsOrn0GSj8UkRc/nYuEQBdfKf5nE7JJio//U65 NHCGih9o9sfnZ9q+bxryED+RiKMOyUvxqMOqRhXItekVkXaRNWcXWqbGW+2MTL1H yOSaq9oMMv04/xzUcWId3T3WdrZk9vlehGmj7Eo0W2eH65itXL+RaKAJuZL+Jtrl XsT380xATHKyyuiN2OaIgWwFGSpzQ1cwXnvQzYOk1LXlTqFA9UhBWZJHsNAwXlqQ ANURjLVa5Z+LwmkpAgpksL+bSMinX+XKKNsc82e0NJkDFuk/VhQle3AYhERC23eC Nar2nXHMC9yvH/ym8MNVYa48PTWD3xYalncAOyMiw7b4tts4uWkAPpnhWxY2g9p5 0xIlZvlDFzW50DsneNo1cHscsg4hlYDlzo2ucYBZHlFRFVj+tVU7t/5E+PctKifi ls8jf7TrDqLJfyyVxH9k+qMpo2KbOWk/PgCfaOsWbTcEVlpUUOCfTx1+rExTVNVs cmkrA3GYijHNqLhs2Lsrv3TnSOviSXdewnN1uGlfhSEPL9LndKOaxWr6w9P4HCVF Qvt8p9lZCQM4zs9FvSrvbb6y9B6P5/BzQKwTlJ/ziuUQeLz3Cn+skt9sRFP0u2Un NGefeHnatRuux9EFVnEqHRsG2+/HbpXiv/Hfdh0M6PNeW23PqLI= =0mTC -----END PGP SIGNATURE-----

Trust: 2.34

sources: NVD: CVE-2020-9481 // JVNDB: JVNDB-2020-004901 // CNVD: CNVD-2020-28765 // VULMON: CVE-2020-9481 // PACKETSTORM: 168822

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-28765

AFFECTED PRODUCTS

vendor:apachemodel:traffic serverscope:gteversion:8.0.0

Trust: 1.0

vendor:apachemodel:traffic serverscope:lteversion:8.0.6

Trust: 1.0

vendor:apachemodel:traffic serverscope:gteversion:7.0.0

Trust: 1.0

vendor:apachemodel:traffic serverscope:lteversion:6.2.3

Trust: 1.0

vendor:apachemodel:traffic serverscope:gteversion:6.0.0

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:10.0

Trust: 1.0

vendor:apachemodel:traffic serverscope:lteversion:7.1.9

Trust: 1.0

vendor:apachemodel:traffic serverscope:eqversion:6.0.0 から 6.2.3

Trust: 0.8

vendor:apachemodel:traffic serverscope:eqversion:7.0.0 から 7.1.9

Trust: 0.8

vendor:apachemodel:traffic serverscope:eqversion:8.0.0 から 8.0.6

Trust: 0.8

vendor:debianmodel:gnu/linuxscope: - version: -

Trust: 0.8

vendor:apachemodel:traffic serverscope:gteversion:6.0.0,<=6.2.3

Trust: 0.6

vendor:apachemodel:traffic serverscope:gteversion:7.0.0,<=7.1.9

Trust: 0.6

vendor:apachemodel:traffic serverscope:gteversion:8.0.0,<=8.0.6

Trust: 0.6

vendor:apachemodel:traffic serverscope:eqversion:6.0.0

Trust: 0.1

vendor:apachemodel:traffic serverscope:eqversion:6.0.3

Trust: 0.1

vendor:apachemodel:traffic serverscope:eqversion:6.1.0

Trust: 0.1

vendor:apachemodel:traffic serverscope:eqversion:6.1.1

Trust: 0.1

vendor:apachemodel:traffic serverscope:eqversion:6.2.0

Trust: 0.1

vendor:apachemodel:traffic serverscope:eqversion:6.2.1

Trust: 0.1

vendor:apachemodel:traffic serverscope:eqversion:6.2.2

Trust: 0.1

vendor:apachemodel:traffic serverscope:eqversion:6.2.3

Trust: 0.1

vendor:apachemodel:traffic serverscope:eqversion:7.0.0

Trust: 0.1

vendor:apachemodel:traffic serverscope:eqversion:7.1.0

Trust: 0.1

vendor:apachemodel:traffic serverscope:eqversion:7.1.1

Trust: 0.1

vendor:apachemodel:traffic serverscope:eqversion:7.1.2

Trust: 0.1

vendor:apachemodel:traffic serverscope:eqversion:7.1.3

Trust: 0.1

vendor:apachemodel:traffic serverscope:eqversion:7.1.4

Trust: 0.1

vendor:apachemodel:traffic serverscope:eqversion:7.1.5

Trust: 0.1

vendor:apachemodel:traffic serverscope:eqversion:7.1.6

Trust: 0.1

vendor:apachemodel:traffic serverscope:eqversion:7.1.7

Trust: 0.1

vendor:apachemodel:traffic serverscope:eqversion:7.1.8

Trust: 0.1

vendor:apachemodel:traffic serverscope:eqversion:7.1.9

Trust: 0.1

vendor:apachemodel:traffic serverscope:eqversion:8.0.0

Trust: 0.1

vendor:apachemodel:traffic serverscope:eqversion:8.0.1

Trust: 0.1

vendor:apachemodel:traffic serverscope:eqversion:8.0.2

Trust: 0.1

vendor:apachemodel:traffic serverscope:eqversion:8.0.3

Trust: 0.1

vendor:apachemodel:traffic serverscope:eqversion:8.0.4

Trust: 0.1

vendor:apachemodel:traffic serverscope:eqversion:8.0.5

Trust: 0.1

vendor:apachemodel:traffic serverscope:eqversion:8.0.6

Trust: 0.1

vendor:debianmodel:linuxscope:eqversion:10

Trust: 0.1

sources: CNVD: CNVD-2020-28765 // VULMON: CVE-2020-9481 // JVNDB: JVNDB-2020-004901 // NVD: CVE-2020-9481

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-9481
value: HIGH

Trust: 1.0

NVD: JVNDB-2020-004901
value: HIGH

Trust: 0.8

CNVD: CNVD-2020-28765
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202004-2226
value: HIGH

Trust: 0.6

VULMON: CVE-2020-9481
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-9481
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2020-004901
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2020-28765
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2020-9481
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-004901
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-28765 // VULMON: CVE-2020-9481 // JVNDB: JVNDB-2020-004901 // CNNVD: CNNVD-202004-2226 // NVD: CVE-2020-9481

PROBLEMTYPE DATA

problemtype:CWE-400

Trust: 1.8

sources: JVNDB: JVNDB-2020-004901 // NVD: CVE-2020-9481

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202004-2226

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-202004-2226

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-004901

PATCH
title:[ANNOUNCE] Apache Traffic Server is vulnerable to a HTTP/2 slow read attack (revised URL to CVE)url:https://lists.apache.org/thread.html/r21ddaf0a4a973f3c43c7ff399ae50d2f858f13f87bd6a9551c5cf6db%40%3Cannounce.trafficserver.apache.org%3E
Trust: 0.8
title:DSA-4672url:https://www.debian.org/security/2020/dsa-4672
Trust: 0.8
title:Patch for Apache Traffic Server resource management error vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/217791
Trust: 0.6
title:Apache Traffic Server Remediation of resource management error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=117728
Trust: 0.6
title:Debian Security Advisories: DSA-4672-1 trafficserver -- security updateurl:https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=068031a0d7824f96d2ef05460c32232d
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2020-28765 // 
            
            
            
            VULMON: CVE-2020-9481 // 
            
            
            
            JVNDB: JVNDB-2020-004901 // 
            
            
            
            CNNVD: CNNVD-202004-2226

EXTERNAL IDS
db:NVDid:CVE-2020-9481
Trust: 3.2
db:JVNDBid:JVNDB-2020-004901
Trust: 0.8
db:CNVDid:CNVD-2020-28765
Trust: 0.6
db:AUSCERTid:ESB-2020.1566
Trust: 0.6
db:CNNVDid:CNNVD-202004-2226
Trust: 0.6
db:VULMONid:CVE-2020-9481
Trust: 0.1
db:PACKETSTORMid:168822
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2020-28765 // 
            
            
            
            VULMON: CVE-2020-9481 // 
            
            
            
            JVNDB: JVNDB-2020-004901 // 
            
            
            
            PACKETSTORM: 168822 // 
            
            
            
            CNNVD: CNNVD-202004-2226 // 
            
            
            
            NVD: CVE-2020-9481

REFERENCES
url:https://nvd.nist.gov/vuln/detail/cve-2020-9481
Trust: 2.1
url:https://lists.apache.org/thread.html/r21ddaf0a4a973f3c43c7ff399ae50d2f858f13f87bd6a9551c5cf6db%40%3cannounce.trafficserver.apache.org%3e
Trust: 1.7
url:https://www.debian.org/security/2020/dsa-4672
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-9481
Trust: 0.8
url:https://www.auscert.org.au/bulletins/esb-2020.1566/
Trust: 0.6
url:https://vigilance.fr/vulnerability/apache-traffic-server-overload-via-http-2-slow-read-32173
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/400.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/180966
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-1944
Trust: 0.1
url:https://www.debian.org/security/faq
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2019-17565
Trust: 0.1
url:https://www.debian.org/security/
Trust: 0.1
url:https://security-tracker.debian.org/tracker/trafficserver
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2019-17559
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2020-28765 // 
            
            
            
            VULMON: CVE-2020-9481 // 
            
            
            
            JVNDB: JVNDB-2020-004901 // 
            
            
            
            PACKETSTORM: 168822 // 
            
            
            
            CNNVD: CNNVD-202004-2226 // 
            
            
            
            NVD: CVE-2020-9481

CREDITS
Debian
Trust: 0.1
sources:
            
            
            PACKETSTORM: 168822

SOURCES
db:CNVDid:CNVD-2020-28765
db:VULMONid:CVE-2020-9481
db:JVNDBid:JVNDB-2020-004901
db:PACKETSTORMid:168822
db:CNNVDid:CNNVD-202004-2226
db:NVDid:CVE-2020-9481

LAST UPDATE DATE
2024-11-23T21:51:37.843000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2020-28765date:2020-05-18T00:00:00
db:VULMONid:CVE-2020-9481date:2020-05-07T00:00:00
db:JVNDBid:JVNDB-2020-004901date:2020-06-01T00:00:00
db:CNNVDid:CNNVD-202004-2226date:2020-05-06T00:00:00
db:NVDid:CVE-2020-9481date:2024-11-21T05:40:44.080

SOURCES RELEASE DATE
db:CNVDid:CNVD-2020-28765date:2020-05-18T00:00:00
db:VULMONid:CVE-2020-9481date:2020-04-27T00:00:00
db:JVNDBid:JVNDB-2020-004901date:2020-06-01T00:00:00
db:PACKETSTORMid:168822date:2020-05-28T19:12:00
db:CNNVDid:CNNVD-202004-2226date:2020-04-27T00:00:00
db:NVDid:CVE-2020-9481date:2020-04-27T22:15:12.457