CVE-2017-5660
Low
Low
Medium
High
Critical
CVSS Score
Vulnerability Description
There is a vulnerability in Apache Traffic Server (ATS) 6.2.0 and prior and 7.0.0 and prior with the Host header and line folding. This can have issues when interacting with upstream proxies and the wrong host being used.
Known Affected Software
64 configuration(s) from 2 vendor(s)
traffic_server
Version:
5.0.1
CPE:
cpe:2.3:a:apache:traffic_server:5.0.1:*:*:*:*:*:*:*
traffic_server
Version:
5.2.0
CPE:
cpe:2.3:a:apache:traffic_server:5.2.0:*:*:*:*:*:*:*
traffic_server
Version:
2.1.9
CPE:
cpe:2.3:a:apache:traffic_server:2.1.9:*:*:*:*:*:*:*
traffic_server
Version:
2.1.5
CPE:
cpe:2.3:a:apache:traffic_server:2.1.5:*:*:*:*:*:*:*
traffic_server
Version:
4.2.0
CPE:
cpe:2.3:a:apache:traffic_server:4.2.0:*:*:*:*:*:*:*
traffic_server
Version:
3.1.2
CPE:
cpe:2.3:a:apache:traffic_server:3.1.2:*:*:*:*:*:*:*
traffic_server
Version:
3.2.4
CPE:
cpe:2.3:a:apache:traffic_server:3.2.4:*:*:*:*:*:*:*
traffic_server
Version:
6.0.0
CPE:
cpe:2.3:a:apache:traffic_server:6.0.0:*:*:*:*:*:*:*
traffic_server
Version:
2.1.7
CPE:
cpe:2.3:a:apache:traffic_server:2.1.7:*:*:*:*:*:*:*
traffic_server
Version:
6.0.3
CPE:
cpe:2.3:a:apache:traffic_server:6.0.3:*:*:*:*:*:*:*
traffic_server
Version:
5.1.1
CPE:
cpe:2.3:a:apache:traffic_server:5.1.1:*:*:*:*:*:*:*
traffic_server
Version:
2.0.1
CPE:
cpe:2.3:a:apache:traffic_server:2.0.1:*:*:*:*:*:*:*
traffic_server
Version:
4.0.0
CPE:
cpe:2.3:a:apache:traffic_server:4.0.0:*:*:*:*:*:*:*
traffic_server
Version:
2.1.1
CPE:
cpe:2.3:a:apache:traffic_server:2.1.1:*:*:*:*:*:*:*
traffic_server
Version:
3.0.1
CPE:
cpe:2.3:a:apache:traffic_server:3.0.1:*:*:*:*:*:*:*
traffic_server
Version:
3.3.4
CPE:
cpe:2.3:a:apache:traffic_server:3.3.4:*:*:*:*:*:*:*
traffic_server
Version:
5.2.1
CPE:
cpe:2.3:a:apache:traffic_server:5.2.1:*:*:*:*:*:*:*
traffic_server
Version:
6.2.0
CPE:
cpe:2.3:a:apache:traffic_server:6.2.0:*:*:*:*:*:*:*
traffic_server
Version:
7.0.0
CPE:
cpe:2.3:a:apache:traffic_server:7.0.0:rc0:*:*:*:*:*:*
traffic_server
Version:
5.3.0
CPE:
cpe:2.3:a:apache:traffic_server:5.3.0:*:*:*:*:*:*:*
traffic_server
Version:
5.3.1
CPE:
cpe:2.3:a:apache:traffic_server:5.3.1:*:*:*:*:*:*:*
traffic_server
Version:
2.1.6
CPE:
cpe:2.3:a:apache:traffic_server:2.1.6:*:*:*:*:*:*:*
traffic_server
Version:
4.2.2
CPE:
cpe:2.3:a:apache:traffic_server:4.2.2:*:*:*:*:*:*:*
traffic_server
Version:
5.3.2
CPE:
cpe:2.3:a:apache:traffic_server:5.3.2:*:*:*:*:*:*:*
traffic_server
Version:
3.0.0
CPE:
cpe:2.3:a:apache:traffic_server:3.0.0:*:*:*:*:*:*:*
traffic_server
Version:
5.0.0
CPE:
cpe:2.3:a:apache:traffic_server:5.0.0:*:*:*:*:*:*:*
traffic_server
Version:
2.1.8
CPE:
cpe:2.3:a:apache:traffic_server:2.1.8:*:*:*:*:*:*:*
traffic_server
Version:
2.1.4
CPE:
cpe:2.3:a:apache:traffic_server:2.1.4:*:*:*:*:*:*:*
traffic_server
Version:
6.1.0
CPE:
cpe:2.3:a:apache:traffic_server:6.1.0:*:*:*:*:*:*:*
traffic_server
Version:
3.2.2
CPE:
cpe:2.3:a:apache:traffic_server:3.2.2:*:*:*:*:*:*:*
traffic_server
Version:
3.3.5
CPE:
cpe:2.3:a:apache:traffic_server:3.3.5:*:*:*:*:*:*:*
traffic_server
Version:
2.1.2
CPE:
cpe:2.3:a:apache:traffic_server:2.1.2:*:*:*:*:*:*:*
traffic_server
Version:
5.1.2
CPE:
cpe:2.3:a:apache:traffic_server:5.1.2:*:*:*:*:*:*:*
traffic_server
Version:
3.0.4
CPE:
cpe:2.3:a:apache:traffic_server:3.0.4:*:*:*:*:*:*:*
traffic_server
Version:
2.1.3
CPE:
cpe:2.3:a:apache:traffic_server:2.1.3:*:*:*:*:*:*:*
traffic_server
Version:
3.1.3
CPE:
cpe:2.3:a:apache:traffic_server:3.1.3:*:*:*:*:*:*:*
traffic_server
Version:
3.1.1
CPE:
cpe:2.3:a:apache:traffic_server:3.1.1:*:*:*:*:*:*:*
traffic_server
Version:
3.2.5
CPE:
cpe:2.3:a:apache:traffic_server:3.2.5:*:*:*:*:*:*:*
traffic_server
Version:
4.1.0
CPE:
cpe:2.3:a:apache:traffic_server:4.1.0:*:*:*:*:*:*:*
traffic_server
Version:
3.0.2
CPE:
cpe:2.3:a:apache:traffic_server:3.0.2:*:*:*:*:*:*:*
traffic_server
Version:
2.0.0
CPE:
cpe:2.3:a:apache:traffic_server:2.0.0:alpha:*:*:*:*:*:*
traffic_server
Version:
4.1.1
CPE:
cpe:2.3:a:apache:traffic_server:4.1.1:*:*:*:*:*:*:*
traffic_server
Version:
3.2.0
CPE:
cpe:2.3:a:apache:traffic_server:3.2.0:*:*:*:*:*:*:*
traffic_server
Version:
3.1.4
CPE:
cpe:2.3:a:apache:traffic_server:3.1.4:*:*:*:*:*:*:*
traffic_server
Version:
3.3.1
CPE:
cpe:2.3:a:apache:traffic_server:3.3.1:*:*:*:*:*:*:*
traffic_server
Version:
3.3.0
CPE:
cpe:2.3:a:apache:traffic_server:3.3.0:*:*:*:*:*:*:*
traffic_server
Version:
5.1.0
CPE:
cpe:2.3:a:apache:traffic_server:5.1.0:*:*:*:*:*:*:*
traffic_server
Version:
4.2.3
CPE:
cpe:2.3:a:apache:traffic_server:4.2.3:*:*:*:*:*:*:*
traffic_server
Version:
3.1.0
CPE:
cpe:2.3:a:apache:traffic_server:3.1.0:*:*:*:*:*:*:*
traffic_server
Version:
3.3.2
CPE:
cpe:2.3:a:apache:traffic_server:3.3.2:*:*:*:*:*:*:*
traffic_server
Version:
3.2.1
CPE:
cpe:2.3:a:apache:traffic_server:3.2.1:*:*:*:*:*:*:*
traffic_server
Version:
3.0.3
CPE:
cpe:2.3:a:apache:traffic_server:3.0.3:*:*:*:*:*:*:*
traffic_server
Version:
6.1.1
CPE:
cpe:2.3:a:apache:traffic_server:6.1.1:*:*:*:*:*:*:*
traffic_server
Version:
4.2.1
CPE:
cpe:2.3:a:apache:traffic_server:4.2.1:*:*:*:*:*:*:*
traffic_server
Version:
2.1.0
CPE:
cpe:2.3:a:apache:traffic_server:2.1.0:*:*:*:*:*:*:*
traffic_server
Version:
4.0.2
CPE:
cpe:2.3:a:apache:traffic_server:4.0.2:*:*:*:*:*:*:*
traffic_server
Version:
4.2.1.1
CPE:
cpe:2.3:a:apache:traffic_server:4.2.1.1:*:*:*:*:*:*:*
traffic_server
Version:
6.2.2
CPE:
cpe:2.3:a:apache:traffic_server:6.2.2:rc0:*:*:*:*:*:*
traffic_server
Version:
3.3.3
CPE:
cpe:2.3:a:apache:traffic_server:3.3.3:*:*:*:*:*:*:*
traffic_server
Version:
4.0.1
CPE:
cpe:2.3:a:apache:traffic_server:4.0.1:*:*:*:*:*:*:*
traffic_server
Version:
3.0.5
CPE:
cpe:2.3:a:apache:traffic_server:3.0.5:*:*:*:*:*:*:*
traffic_server
Version:
4.1.2
CPE:
cpe:2.3:a:apache:traffic_server:4.1.2:*:*:*:*:*:*:*
traffic_server
Version:
6.2.1
CPE:
cpe:2.3:a:apache:traffic_server:6.2.1:rc0:*:*:*:*:*:*
debian_linux
Version:
9.0
CPE:
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
This vulnerability affects 64 software configuration(s). Ensure you patch all affected systems.
References & Resources
-
https://lists.apache.org/thread.html/22d84783d94c53a5132ec89f002fe5165c87561a9428bcb6713b3c98%40%3Cdev.trafficserver.apache.org%3Esecurity@apache.org
-
https://www.debian.org/security/2018/dsa-4128security@apache.org Third Party Advisory
-
https://lists.apache.org/thread.html/22d84783d94c53a5132ec89f002fe5165c87561a9428bcb6713b3c98%40%3Cdev.trafficserver.apache.org%3Eaf854a3a-2127-422b-91ae-364da2661108
-
https://www.debian.org/security/2018/dsa-4128af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
Severity Details
out of 10.0
Low
Weakness Type (CWE)
CWE-20
Top 25 #14
Improper Input Validation
- Description
- The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
- Exploit Likelihood
- High
- Typical Severity
- High
- Abstraction Level
- Class
Key Information
- Published Date
- February 27, 2018
