CVE-2022-40743
Published: 19 December 2022
Improper Input Validation vulnerability for the xdebug plugin in Apache Software Foundation Apache Traffic Server can lead to cross site scripting and cache poisoning attacks.This issue affects Apache Traffic Server: 9.0.0 to 9.1.3. Users should upgrade to 9.1.4 or later versions.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
trafficserver Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needs triage
|
|
| jammy |
Needs triage
|
|
| kinetic |
Ignored
(end of life, was needs-triage)
|
|
| lunar |
Ignored
(end of life, was needs-triage)
|
|
| mantic |
Not vulnerable
(9.2.0+ds-2)
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Released
(9.1.4+ds-1)
|
|
| xenial |
Needs triage
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 6.1 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Changed |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
References
- https://lists.apache.org/thread/mrj2lg4s0hf027rk7gz8t7hbn9xpfg02
- https://github.com/apache/trafficserver/commit/eb5efe19e68e51db58a6320b4a99e3fc83336a14 (master)
- https://github.com/apache/trafficserver/commit/20c857a785da93fa0e3263597207b5ef35b65b7c (v9.1.x)
- https://www.cve.org/CVERecord?id=CVE-2022-40743
- NVD
- Launchpad
- Debian