|
|
|||
| Rule General Information |
|---|
| Release Date: | 2018-09-10 | |
| Rule Name: | MISC Apache Traffic Server ESI Plugin Cookie Header Information Disclosure Vulnerability (CVE-2018-8040) | |
| Severity: | ||
| CVE ID: | ||
| Rule Protection Details |
|---|
| Description: | Pages that are rendered using the ESI plugin can have access to the cookie header when the plugin is configured not to allow access. This affects Apache Traffic Server (ATS) versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. | |
| Impact: | Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions, this may aid in launching further attacks. | |
| Affected OS: | Network Device, Solaris, FreeBSD, Windows, Mac OS, iOS, Other Unix, Linux, Others, Android | |
| Reference: | SecurityFocusBID:105181 https://www.debian.org/security/2018/dsa-4282 https://lists.apache.org/thread.html/36b3df68fe7311965f6bc4630ca413d2aa99d8f1d53affda85ea70d7@%3Cusers.trafficserver.apache.org%3E https://github.com/apache/trafficserver/pull/3926 https://lists.apache.org/thread.html/cc7aa2ce1c6f4fe0c6bfef517763cdaad30ec7bcb0115b73f73f3c01@%3Cusers.trafficserver.apache.org%3E |
|
| Solutions |
|---|
| To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions. |