Candidate: CVE-2018-8040
PublicDate: 2018-08-29 13:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8040
 http://www.openwall.com/lists/oss-security/2018/08/29/2
 https://github.com/apache/trafficserver/pull/3926
 https://github.com/apache/trafficserver/commit/cea07c03274807c1588dbdf03baa1537d958c92f
Description:
 Pages that are rendered using the ESI plugin can have access to the cookie
 header when the plugin is configured not to allow access. This affects
 Apache Traffic Server (ATS) versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To
 resolve this issue users running 6.x should upgrade to 6.2.3 or later
 versions and 7.x users should upgrade to 7.1.4 or later versions.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N [5.3 MEDIUM]


Patches_trafficserver:
upstream_trafficserver: released (7.1.4+ds-1)
precise/esm_trafficserver: DNE
trusty_trafficserver: ignored (reached end-of-life)
trusty/esm_trafficserver: DNE (trusty was needs-triage)
xenial_trafficserver: ignored (end of standard support, was needed)
bionic_trafficserver: needed
cosmic_trafficserver: not-affected (7.1.4+ds-1)
disco_trafficserver: not-affected (7.1.4+ds-1)
eoan_trafficserver: not-affected (7.1.4+ds-1)
focal_trafficserver: not-affected (7.1.4+ds-1)
groovy_trafficserver: not-affected (7.1.4+ds-1)
hirsute_trafficserver: not-affected (7.1.4+ds-1)
impish_trafficserver: not-affected (7.1.4+ds-1)
jammy_trafficserver: not-affected (7.1.4+ds-1)
devel_trafficserver: not-affected (7.1.4+ds-1)