ID

VAR-202106-1082


CVE

CVE-2021-32565


TITLE

Apache Traffic Server  In  HTTP  Request Smuggling Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-008907

DESCRIPTION

Invalid values in the Content-Length header sent to Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4957-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 13, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : trafficserver CVE ID : CVE-2021-27577 CVE-2021-32566 CVE-2021-32567 CVE-2021-35474 CVE-2021-32565 Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in denial of service, HTTP request smuggling or cache poisoning. For the stable distribution (buster), these problems have been fixed in version 8.0.2+ds-1+deb10u5. We recommend that you upgrade your trafficserver packages. For the detailed security status of trafficserver please refer to its security tracker page at: https://security-tracker.debian.org/tracker/trafficserver Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmEW2boACgkQEMKTtsN8 TjbGiA//ZQ1onYoleaQXDZ5myg7Opn8zceGdW9Dz907hCM9/cTyJQUxPnYRK24uP xtg9iW10YNwl3XaqSDGChBrAtnxFkzXid5QIxqlEzWfGhWTIfgYtumUB99X4Hp2n noprV5wHa5OAZsgQvRA6UXHZrGxpdbShvo9NQSuD4WN0Vukbj862v1h1jURlblDA GD+LbNeIcz44Z4udQNIpbuth9RJs6ezobgwnQngH7AA+4DvgW4qVlz+vrEo4P2tW jEKzdaXrKKC1Cdf6qiEzJ7+2uWGTLA9TOuadGSNzDnscjKDtqxG8WLxtGToDYurK xK+Cfo1cj4+OqaIaCfbfi6bxD1nbliEAYr0CsfL0wxtHpwqLbCMlr0KF/2+Ya5Rc LjOQrhgvUmjv2SCHVQZ4q01u27ulrFFHg6gqrdb7k3SddV2xka/OMdINTEKa1H/X JyhQJ40DcYqMfPfCIbX86NZAsAQDYwp6x/DTiIEHa/H0qCN9FAq0k4aAvcRuqvEF Ymb/E+kEN2TfoANpvyMTlFD0awUW+lo9IvmNumBq8jSGipM9nwx0/wZTdgKSVpni BJ0kCn3RHPd4DYLejocbnjc4clI6ctW/K3E89nb5wVHbXQHBK7sgfJYmw2aYKF6J 9h7/vdjNuEEBHSpHXO54W4CFH39UZ7DnI4uF0Ju61I+i+g7rQAE= =4fML -----END PGP SIGNATURE-----

Trust: 2.88

sources: NVD: CVE-2021-32565 // JVNDB: JVNDB-2021-008907 // CNVD: CNVD-2021-49082 // CNNVD: CNNVD-202104-975 // VULMON: CVE-2021-32565 // PACKETSTORM: 169107

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-49082

AFFECTED PRODUCTS

vendor:apachemodel:traffic serverscope:gteversion:7.0.0

Trust: 1.0

vendor:apachemodel:traffic serverscope:lteversion:9.0.1

Trust: 1.0

vendor:apachemodel:traffic serverscope:gteversion:9.0.0

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:10.0

Trust: 1.0

vendor:apachemodel:traffic serverscope:lteversion:8.1.1

Trust: 1.0

vendor:apachemodel:traffic serverscope:gteversion:8.0.0

Trust: 1.0

vendor:apachemodel:traffic serverscope:lteversion:7.1.12

Trust: 1.0

vendor:apachemodel:traffic serverscope: - version: -

Trust: 0.8

vendor:debianmodel:gnu/linuxscope: - version: -

Trust: 0.8

vendor:apachemodel:traffic serverscope:gteversion:7.0.0<=7.1.12

Trust: 0.6

vendor:apachemodel:traffic serverscope:gteversion:8.0.0,<=8.1.1

Trust: 0.6

vendor:apachemodel:traffic serverscope:gteversion:9.0.0,<=9.0.1

Trust: 0.6

sources: CNVD: CNVD-2021-49082 // JVNDB: JVNDB-2021-008907 // NVD: CVE-2021-32565

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-32565
value: HIGH

Trust: 1.0

NVD: CVE-2021-32565
value: HIGH

Trust: 0.8

CNVD: CNVD-2021-49082
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202106-1942
value: HIGH

Trust: 0.6

VULMON: CVE-2021-32565
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-32565
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2021-49082
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2021-32565
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2021-32565
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2021-49082 // VULMON: CVE-2021-32565 // JVNDB: JVNDB-2021-008907 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-1942 // NVD: CVE-2021-32565

PROBLEMTYPE DATA

problemtype:CWE-444

Trust: 1.0

problemtype:HTTP Request Smuggling (CWE-444) [NVD Evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-008907 // NVD: CVE-2021-32565

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202106-1942

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:[ANNOUNCE] Apache Traffic Server is vulnerable to various HTTP/1.x and HTTP/2 attacks DebianDebian Security Advisoryurl:https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cusers.trafficserver.apache.org%3E

Trust: 0.8

title:Patch for Apache Traffic Server Environmental Issues Vulnerability (CNVD-2021-49082)url:https://www.cnvd.org.cn/patchInfo/show/278056

Trust: 0.6

title:Apache Traffic Server Remediation measures for environmental problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=156246

Trust: 0.6

title:Debian CVElist Bug Report Logs: trafficserver: Apache Traffic Server is vulnerable to various HTTP/1.x and HTTP/2 attacksurl:https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=b751099c4cea0bef933c0d8b21d6a659

Trust: 0.1

title:Debian Security Advisories: DSA-4957-1 trafficserver -- security updateurl:https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=36855d9446fa2f34a6ebeffd24b3973b

Trust: 0.1

sources: CNVD: CNVD-2021-49082 // VULMON: CVE-2021-32565 // JVNDB: JVNDB-2021-008907 // CNNVD: CNNVD-202106-1942

EXTERNAL IDS

db:NVDid:CVE-2021-32565

Trust: 4.0

db:JVNDBid:JVNDB-2021-008907

Trust: 0.8

db:CNVDid:CNVD-2021-49082

Trust: 0.6

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:CS-HELPid:SB2021081714

Trust: 0.6

db:CS-HELPid:SB2021063020

Trust: 0.6

db:AUSCERTid:ESB-2021.2759

Trust: 0.6

db:CNNVDid:CNNVD-202106-1942

Trust: 0.6

db:VULMONid:CVE-2021-32565

Trust: 0.1

db:PACKETSTORMid:169107

Trust: 0.1

sources: CNVD: CNVD-2021-49082 // VULMON: CVE-2021-32565 // JVNDB: JVNDB-2021-008907 // PACKETSTORM: 169107 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-1942 // NVD: CVE-2021-32565

REFERENCES

url:https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3cusers.trafficserver.apache.org%3e

Trust: 1.7

url:https://www.debian.org/security/2021/dsa-4957

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2021-32565

Trust: 1.5

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021081714

Trust: 0.6

url:https://vigilance.fr/vulnerability/apache-traffic-server-five-vulnerabilities-36136

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021063020

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.2759

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/444.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990303

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-32566

Trust: 0.1

url:https://www.debian.org/security/faq

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-32567

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-27577

Trust: 0.1

url:https://www.debian.org/security/

Trust: 0.1

url:https://security-tracker.debian.org/tracker/trafficserver

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-35474

Trust: 0.1

sources: CNVD: CNVD-2021-49082 // VULMON: CVE-2021-32565 // JVNDB: JVNDB-2021-008907 // PACKETSTORM: 169107 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-1942 // NVD: CVE-2021-32565

CREDITS

Debian

Trust: 0.1

sources: PACKETSTORM: 169107

SOURCES

db:CNVDid:CNVD-2021-49082
db:VULMONid:CVE-2021-32565
db:JVNDBid:JVNDB-2021-008907
db:PACKETSTORMid:169107
db:CNNVDid:CNNVD-202104-975
db:CNNVDid:CNNVD-202106-1942
db:NVDid:CVE-2021-32565

LAST UPDATE DATE

2024-08-14T12:30:49.609000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2021-49082date:2021-07-10T00:00:00
db:VULMONid:CVE-2021-32565date:2021-08-14T00:00:00
db:JVNDBid:JVNDB-2021-008907date:2022-03-31T06:35:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202106-1942date:2021-08-20T00:00:00
db:NVDid:CVE-2021-32565date:2021-09-20T18:52:38.810

SOURCES RELEASE DATE

db:CNVDid:CNVD-2021-49082date:2021-07-10T00:00:00
db:VULMONid:CVE-2021-32565date:2021-06-29T00:00:00
db:JVNDBid:JVNDB-2021-008907date:2022-03-31T00:00:00
db:PACKETSTORMid:169107date:2021-08-28T19:12:00
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:CNNVDid:CNNVD-202106-1942date:2021-06-29T00:00:00
db:NVDid:CVE-2021-32565date:2021-06-29T12:15:08.573