ID

VAR-202310-1673


CVE

CVE-2023-39456


TITLE

Apache Software Foundation  of  Apache Traffic Server  Vulnerability related to input verification in products from multiple vendors such as

Trust: 0.8

sources: JVNDB: JVNDB-2023-014915

DESCRIPTION

Improper Input Validation vulnerability in Apache Traffic Server with malformed HTTP/2 frames.This issue affects Apache Traffic Server: from 9.0.0 through 9.2.2. Users are recommended to upgrade to version 9.2.3, which fixes the issue. This vulnerability is caused by an HTTP/2 frame format error and is vulnerable to HTTP/2 and s3 authentication plug-in attacks. An attacker could exploit this vulnerability to cause a denial of service. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5549-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 05, 2023 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : trafficserver CVE ID : CVE-2022-47185 CVE-2023-33934 CVE-2023-39456 CVE-2023-41752 CVE-2023-44487 Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in denial of service or information disclosure. For the oldstable distribution (bullseye), these problems have been fixed in version 8.1.9+ds-1~deb11u1. For the stable distribution (bookworm), these problems have been fixed in version 9.2.3+ds-1+deb12u1. We recommend that you upgrade your trafficserver packages. For the detailed security status of trafficserver please refer to its security tracker page at: https://security-tracker.debian.org/tracker/trafficserver Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmVH8qoACgkQEMKTtsN8 TjbxOhAAkZMjvXgCcE1d9hO03bcOOVEU8dm3D7POoeIVqmZlgHRH6Q7xh1E3ER+C dl2Nix0Y+8KiCP9JjL6K9yzNcMpmeQ1M6QYD8HJxyj/ihVpWv+SMrdelVyYG5BPM ClWLHzNk6oQm3fMWE//EXm6vxoXOust61gTjhjozV7D1VvWYvLdDt/w59I+wHHc2 XIJ9gVakNvVrmdB2ItEwrYmPrRA6uECB3ag3xP4Wh1H9SkwVgcbBW6ZrgmPAjVQO UTxdCYJuoWkYavr6bolxUG833DfnJRPk9mZJVCdvX4FJnNI6Mp/XGWQ0KNx8K2Xj u6bG//dTJ948q0i5c4thWlCuKkalpZAJ3KxcFyZo6Io1QjCaSN49Rj1agCuiJp4r nmbh0GAlebvOypuiOZieJEEbTIhJpgF1hCLS2jy/Eo8qLP7Iodvr2US7JNwVEirj v0GZx9w9uyFYKfNgRDlJDdaJsmi+2YfbXO4uxp8rFNUY3acL/P8mTsMJohiWjNuH q+/hY7egr7igRPSe+zl2m/tpx1zlPxH761qMqdTVNwztE4t09vW4crPrQ8siwmC1 0HCyGef7R8eNqlODCwpeG1wC+DXHzx00FWUG1r24lNGf7koFnsuALJBPGRptbHqm v6z+piRi8deQNb1vCsQXBzsXjVrK+i/MAAjNixnvTJ9BnVh2ZPY= =gKYQ -----END PGP SIGNATURE-----

Trust: 2.25

sources: NVD: CVE-2023-39456 // JVNDB: JVNDB-2023-014915 // CNVD: CNVD-2023-93321 // PACKETSTORM: 175650

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2023-93321

AFFECTED PRODUCTS

vendor:apachemodel:traffic serverscope:gteversion:9.0.0

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:38

Trust: 1.0

vendor:apachemodel:traffic serverscope:ltversion:9.2.3

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:37

Trust: 1.0

vendor:fedoramodel:fedorascope: - version: -

Trust: 0.8

vendor:apachemodel:traffic serverscope: - version: -

Trust: 0.8

vendor:apachemodel:traffic serverscope:gteversion:9.0.0,<9.2.3

Trust: 0.6

sources: CNVD: CNVD-2023-93321 // JVNDB: JVNDB-2023-014915 // NVD: CVE-2023-39456

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2023-39456
value: HIGH

Trust: 1.0

NVD: CVE-2023-39456
value: HIGH

Trust: 0.8

CNVD: CNVD-2023-93321
value: HIGH

Trust: 0.6

CNVD: CNVD-2023-93321
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2023-39456
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2023-39456
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2023-93321 // JVNDB: JVNDB-2023-014915 // NVD: CVE-2023-39456

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.0

problemtype:Inappropriate input confirmation (CWE-20) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2023-014915 // NVD: CVE-2023-39456

TYPE

info disclosure

Trust: 0.1

sources: PACKETSTORM: 175650

PATCH

title:Patch for Apache Traffic Server input validation error vulnerability (CNVD-2023-93321)url:https://www.cnvd.org.cn/patchInfo/show/492411

Trust: 0.6

sources: CNVD: CNVD-2023-93321

EXTERNAL IDS

db:NVDid:CVE-2023-39456

Trust: 3.3

db:JVNDBid:JVNDB-2023-014915

Trust: 0.8

db:CNVDid:CNVD-2023-93321

Trust: 0.6

db:PACKETSTORMid:175650

Trust: 0.1

sources: CNVD: CNVD-2023-93321 // JVNDB: JVNDB-2023-014915 // PACKETSTORM: 175650 // NVD: CVE-2023-39456

REFERENCES

url:https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q

Trust: 1.8

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/jizsefc3ykcgaba2bzw6zjrmdzjmb7pj/

Trust: 1.8

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/vhuhtsxlxgxs7jykbxta3vinuphtngvu/

Trust: 1.8

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/zkqsikiat5tj3wslu3rdbq35yx4gy4v3/

Trust: 1.8

url:https://www.debian.org/security/2023/dsa-5549

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2023-39456

Trust: 1.5

url:https://nvd.nist.gov/vuln/detail/cve-2023-33934

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-47185

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-44487

Trust: 0.1

url:https://security-tracker.debian.org/tracker/trafficserver

Trust: 0.1

url:https://www.debian.org/security/

Trust: 0.1

url:https://www.debian.org/security/faq

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-41752

Trust: 0.1

sources: CNVD: CNVD-2023-93321 // JVNDB: JVNDB-2023-014915 // PACKETSTORM: 175650 // NVD: CVE-2023-39456

CREDITS

Debian

Trust: 0.1

sources: PACKETSTORM: 175650

SOURCES

db:CNVDid:CNVD-2023-93321
db:JVNDBid:JVNDB-2023-014915
db:PACKETSTORMid:175650
db:NVDid:CVE-2023-39456

LAST UPDATE DATE

2024-08-14T13:06:21.905000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2023-93321date:2023-11-28T00:00:00
db:JVNDBid:JVNDB-2023-014915date:2023-12-26T06:58:00
db:NVDid:CVE-2023-39456date:2023-11-06T03:15:11.950

SOURCES RELEASE DATE

db:CNVDid:CNVD-2023-93321date:2023-11-28T00:00:00
db:JVNDBid:JVNDB-2023-014915date:2023-12-26T00:00:00
db:PACKETSTORMid:175650date:2023-11-13T22:11:28
db:NVDid:CVE-2023-39456date:2023-10-17T07:15:09.737