ID

VAR-202106-0973


CVE

CVE-2021-27577


TITLE

Apache Traffic Server Environmental Issues Vulnerability (CNVD-2021-70101)

Trust: 0.6

sources: CNVD: CNVD-2021-70101

DESCRIPTION

Incorrect handling of url fragment vulnerability of Apache Traffic Server allows an attacker to poison the cache. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1. Apache Traffic Server (ATS) is a set of scalable HTTP proxy and cache servers of the Apache Foundation in the United States. An attacker can use this vulnerability to affect the cache of the target service. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4957-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 13, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : trafficserver CVE ID : CVE-2021-27577 CVE-2021-32566 CVE-2021-32567 CVE-2021-35474 CVE-2021-32565 Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in denial of service, HTTP request smuggling or cache poisoning. For the stable distribution (buster), these problems have been fixed in version 8.0.2+ds-1+deb10u5. We recommend that you upgrade your trafficserver packages. For the detailed security status of trafficserver please refer to its security tracker page at: https://security-tracker.debian.org/tracker/trafficserver Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmEW2boACgkQEMKTtsN8 TjbGiA//ZQ1onYoleaQXDZ5myg7Opn8zceGdW9Dz907hCM9/cTyJQUxPnYRK24uP xtg9iW10YNwl3XaqSDGChBrAtnxFkzXid5QIxqlEzWfGhWTIfgYtumUB99X4Hp2n noprV5wHa5OAZsgQvRA6UXHZrGxpdbShvo9NQSuD4WN0Vukbj862v1h1jURlblDA GD+LbNeIcz44Z4udQNIpbuth9RJs6ezobgwnQngH7AA+4DvgW4qVlz+vrEo4P2tW jEKzdaXrKKC1Cdf6qiEzJ7+2uWGTLA9TOuadGSNzDnscjKDtqxG8WLxtGToDYurK xK+Cfo1cj4+OqaIaCfbfi6bxD1nbliEAYr0CsfL0wxtHpwqLbCMlr0KF/2+Ya5Rc LjOQrhgvUmjv2SCHVQZ4q01u27ulrFFHg6gqrdb7k3SddV2xka/OMdINTEKa1H/X JyhQJ40DcYqMfPfCIbX86NZAsAQDYwp6x/DTiIEHa/H0qCN9FAq0k4aAvcRuqvEF Ymb/E+kEN2TfoANpvyMTlFD0awUW+lo9IvmNumBq8jSGipM9nwx0/wZTdgKSVpni BJ0kCn3RHPd4DYLejocbnjc4clI6ctW/K3E89nb5wVHbXQHBK7sgfJYmw2aYKF6J 9h7/vdjNuEEBHSpHXO54W4CFH39UZ7DnI4uF0Ju61I+i+g7rQAE= =4fML -----END PGP SIGNATURE-----

Trust: 2.16

sources: NVD: CVE-2021-27577 // CNVD: CNVD-2021-70101 // CNNVD: CNNVD-202104-975 // VULMON: CVE-2021-27577 // PACKETSTORM: 169107

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-70101

AFFECTED PRODUCTS

vendor:apachemodel:traffic serverscope:gteversion:7.0.0

Trust: 1.0

vendor:apachemodel:traffic serverscope:lteversion:9.0.1

Trust: 1.0

vendor:apachemodel:traffic serverscope:gteversion:9.0.0

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:8.0

Trust: 1.0

vendor:apachemodel:traffic serverscope:lteversion:8.1.1

Trust: 1.0

vendor:apachemodel:traffic serverscope:gteversion:8.0.0

Trust: 1.0

vendor:apachemodel:traffic serverscope:lteversion:7.1.12

Trust: 1.0

vendor:apachemodel:traffic serverscope:gteversion:8.0.0,<=8.1.1

Trust: 0.6

vendor:apachemodel:traffic serverscope:gteversion:9.0.0,<=9.0.1

Trust: 0.6

vendor:apachemodel:traffic serverscope:gteversion:7.0.0,<=7.1.12

Trust: 0.6

sources: CNVD: CNVD-2021-70101 // NVD: CVE-2021-27577

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-27577
value: HIGH

Trust: 1.0

CNVD: CNVD-2021-70101
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202106-1930
value: HIGH

Trust: 0.6

VULMON: CVE-2021-27577
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-27577
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

CNVD: CNVD-2021-70101
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2021-27577
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

sources: CNVD: CNVD-2021-70101 // VULMON: CVE-2021-27577 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-1930 // NVD: CVE-2021-27577

PROBLEMTYPE DATA

problemtype:CWE-444

Trust: 1.0

sources: NVD: CVE-2021-27577

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202106-1930

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:Patch for Apache Traffic Server Environmental Issues Vulnerability (CNVD-2021-70101)url:https://www.cnvd.org.cn/patchInfo/show/290336

Trust: 0.6

title:Apache Traffic Server Remediation measures for environmental problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=156055

Trust: 0.6

title:Debian CVElist Bug Report Logs: trafficserver: Apache Traffic Server is vulnerable to various HTTP/1.x and HTTP/2 attacksurl:https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=b751099c4cea0bef933c0d8b21d6a659

Trust: 0.1

title:Debian Security Advisories: DSA-4957-1 trafficserver -- security updateurl:https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=36855d9446fa2f34a6ebeffd24b3973b

Trust: 0.1

sources: CNVD: CNVD-2021-70101 // VULMON: CVE-2021-27577 // CNNVD: CNNVD-202106-1930

EXTERNAL IDS

db:NVDid:CVE-2021-27577

Trust: 2.4

db:CNVDid:CNVD-2021-70101

Trust: 0.6

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:CS-HELPid:SB2021081714

Trust: 0.6

db:CS-HELPid:SB2021063020

Trust: 0.6

db:AUSCERTid:ESB-2021.2759

Trust: 0.6

db:CNNVDid:CNNVD-202106-1930

Trust: 0.6

db:VULMONid:CVE-2021-27577

Trust: 0.1

db:PACKETSTORMid:169107

Trust: 0.1

sources: CNVD: CNVD-2021-70101 // VULMON: CVE-2021-27577 // PACKETSTORM: 169107 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-1930 // NVD: CVE-2021-27577

REFERENCES

url:https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3cusers.trafficserver.apache.org%3e

Trust: 1.7

url:https://www.debian.org/security/2021/dsa-4957

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2021-27577

Trust: 0.7

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021081714

Trust: 0.6

url:https://vigilance.fr/vulnerability/apache-traffic-server-five-vulnerabilities-36136

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021063020

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.2759

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/444.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990303

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-32566

Trust: 0.1

url:https://www.debian.org/security/faq

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-32567

Trust: 0.1

url:https://www.debian.org/security/

Trust: 0.1

url:https://security-tracker.debian.org/tracker/trafficserver

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-35474

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-32565

Trust: 0.1

sources: CNVD: CNVD-2021-70101 // VULMON: CVE-2021-27577 // PACKETSTORM: 169107 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-1930 // NVD: CVE-2021-27577

CREDITS

Debian

Trust: 0.1

sources: PACKETSTORM: 169107

SOURCES

db:CNVDid:CNVD-2021-70101
db:VULMONid:CVE-2021-27577
db:PACKETSTORMid:169107
db:CNNVDid:CNNVD-202104-975
db:CNNVDid:CNNVD-202106-1930
db:NVDid:CVE-2021-27577

LAST UPDATE DATE

2024-08-14T12:37:42.794000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2021-70101date:2021-09-11T00:00:00
db:VULMONid:CVE-2021-27577date:2021-08-14T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202106-1930date:2021-08-20T00:00:00
db:NVDid:CVE-2021-27577date:2021-09-20T18:52:33.137

SOURCES RELEASE DATE

db:CNVDid:CNVD-2021-70101date:2021-09-11T00:00:00
db:VULMONid:CVE-2021-27577date:2021-06-29T00:00:00
db:PACKETSTORMid:169107date:2021-08-28T19:12:00
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:CNNVDid:CNNVD-202106-1930date:2021-06-29T00:00:00
db:NVDid:CVE-2021-27577date:2021-06-29T12:15:08.437