CVE-2021-41585
Published: 3 November 2021
Improper Input Validation vulnerability in accepting socket connections in Apache Traffic Server allows an attacker to make the server stop accepting new connections. This issue affects Apache Traffic Server 5.0.0 to 9.1.0.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
trafficserver Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needs triage
|
|
| hirsute |
Ignored
(end of life)
|
|
| impish |
Ignored
(end of life)
|
|
| jammy |
Needs triage
|
|
| kinetic |
Ignored
(end of life, was needs-triage)
|
|
| lunar |
Ignored
(end of life, was needs-triage)
|
|
| mantic |
Needs triage
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Not vulnerable
(debian: Only affects FreeBSD)
|
|
| xenial |
Needs triage
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.5 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
- https://www.openwall.com/lists/oss-security/2021/11/02/11
- https://github.com/apache/trafficserver/pull/8456/
- https://github.com/apache/trafficserver/commit/268b540edae0b3e51d033795a4dd7404a5756a93 (master)
- https://github.com/apache/trafficserver/commit/2b078741ecf14cbc7f5773b3e14ef0c1d3cf4cfb (8.1.x)
- https://www.cve.org/CVERecord?id=CVE-2021-41585
- NVD
- Launchpad
- Debian